Earth Lamia
Earth Lamia is a China-nexus cyber threat actor tracked by Google Threat Intelligence Group as UNC5454. The group is described as a China state-nexus / China-linked cyberespionage actor known for rapidly exploiting newly disclosed web application vulnerabilities, including CVE-2025-55182 ("React2Shell") within hours of public disclosure. Reported exploitation associated with Earth Lamia included deployment of Cobalt Strike beacons, Sliver, and Vshell backdoors. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Historical targeting cited in the content includes financial services, logistics, retail, IT companies, universities, and government organizations. Researchers also tied the group to cyberespionage operations focusing on Asian targets. Attribution is noted as challenging because Chinese threat actors may share anonymization and attack infrastructure. Known alias: UNC5454.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.
On December 5, 2025, just two days after the public disclosure of CVE-2025-55182 – a maximum-severity remote code execution vulnerability in React Server Components (RSCs) – the Sysdig Threat Research Team (TRT) recovered a novel implant from a compromised Next.js application.
Amazon threat intelligence teams observed them simultaneously exploiting other recent N-day vulnerabilities, including CVE-2025-1338.
The flaw has been tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, but Mitre... rejected the second CVE as duplicative.
Observables
50 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Earth Lamia is a China-linked group exploiting web application vulnerabilities for remote code execution and web shell deployment.
China-linked espionage group exploiting CVE-2025-55182 for initial access and persistence in cloud and technology sectors in APAC.
Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity (UNC-style naming suggests an uncategorized cluster).
Listed as a threat actor associated in the report’s aggregated section with exploitation activity around React2Shell (CVE-2025-55182) and related RSC/Next.js vulnerabilities.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.