Cyber Blog

A Chinese-linked threat group has launched a series of coordinated cyberattacks aimed at disrupting the drone industry’s supply chain, impacting multiple sectors in Taiwan and South Korea, according to a report by cybersecurity firm Trend Micro.

The group, identified as Earth Ammit, is believed to have ties to established Chinese advanced persistent threat (APT) actors. Between 2023 and 2024, Earth Ammit carried out two major campaigns—Tidrone and Venom—designed to compromise trusted suppliers and infiltrate downstream customers across various industries.

The targeted sectors included military, heavy industry, software services, satellite technology, media, and healthcare. Earth Ammit used a mix of open-source and custom-developed tools to execute these operations.

The Tidrone campaign, first disclosed in September 2024, involved exploiting enterprise resource planning (ERP) software and remote desktop access tools. Attackers deployed backdoors such as Cxclnt and Clntend, enabling them to steal sensitive information and disable security systems.

In a newly released report, Trend Micro reveals that the Venom campaign actually preceded Tidrone. It focused on service providers and technology firms in Taiwan, as well as heavy industry organizations in South Korea.

Trend Micro highlights Earth Ammit’s overarching strategy: compromising trusted upstream vendors in the drone supply chain to gain access to downstream targets. “These incidents illustrate how supply chain attacks can ripple outward, creating far-reaching global effects,” the report states.

The group employed two primary supply chain attack methods: tampering with legitimate software and infiltrating upstream vendors to distribute malware.

In Venom, the hackers exploited web server vulnerabilities to install webshells, then used open-source proxy and remote access tools for persistent access. After breaching the initial systems, they harvested credentials to launch attacks on related downstream organizations.

In the Tidrone campaign, the focus shifted to code injection and malware deployment through compromised service providers. These operations culminated in the installation of customized backdoors, enabling long-term cyberespionage.

Additional tactics included privilege escalation, credential theft, disabling security defenses, and comprehensive data harvesting.

Beyond the previously mentioned backdoors, Earth Ammit used tailored tools like Screencap (a screen-capture utility) and Venfrpc (a fast reverse proxy tool), both adapted from open-source software. The group also employed fiber-based techniques to evade detection.

Trend Micro notes that while the Venom campaign primarily relied on widely available open-source tools—valued for their low cost and ability to mimic legitimate activity—the group shifted toward bespoke malware in the Tidrone campaign, increasing the precision and stealth of their attacks on high-value targets.