Earth Ammit Compromises Drone Supply Chains through ERP Vulnerabilities in VENOM and TIDRONE Campaigns

A cyber espionage group identified as Earth Ammit is linked to two distinct campaigns targeting various sectors in Taiwan and South Korea from 2023 to 2024. These sectors include military, satellite, heavy industry, media, technology, software services, and healthcare.

According to research from Trend Micro, the first campaign, codenamed VENOM, primarily focused on software service providers, while the subsequent campaign, named TIDRONE, specifically targeted the military industry. Analysts believe that Earth Ammit is associated with Chinese-speaking nation-state actors.

In the VENOM campaign, Earth Ammit adopted a strategy aimed at infiltrating the upstream portion of the drone supply chain. The cyber actors have a long-term objective of compromising trusted networks through supply chain attacks, enabling them to focus on high-value targets downstream and expand their influence.

The TIDRONE campaign was first reported by Trend Micro in the previous year, highlighting a series of attacks on drone manufacturers in Taiwan. These attacks utilized custom malware variants such as CXCLNT and CLNTEND. A follow-up analysis by AhnLab in December 2024 further illustrated the use of CLNTEND against South Korean companies.

These attacks have drawn attention due to their focus on the drone supply chain, utilizing enterprise resource planning (ERP) software to breach military and satellite industries. Some incidents have involved exploiting trusted communication channels, such as remote monitoring tools and IT management software, to distribute malicious payloads.

In VENOM, Trend Micro reports that the attackers exploited vulnerabilities in web servers to deploy web shells, ultimately installing remote access tools (RATs) for sustained access to the compromised systems. The use of open-source tools like REVSOCK and Sliver is perceived as a tactic to hinder attribution efforts.

The sole bespoke malware identified within the VENOM campaign is VENFRPC, a customized version of the open-source fast reverse proxy tool (FRP).

The end goal of both campaigns is to exfiltrate credentials from compromised environments, using these credentials to facilitate deeper infiltration in the TIDRONE phase. The TIDRONE campaign unfolds across three stages:
1. Initial Access: Mirroring VENOM, it targets service providers to insert malicious code and distribute malware downstream.
2. Command-and-Control: Employing a DLL loader to deploy CXCLNT and CLNTEND backdoors.
3. Post-Exploitation: Establishing persistence, elevating privileges, disabling antivirus software with tools like TrueSightKiller, and installing a screenshot-capting tool called SCREENCAP using CLNTEND.

The CXCLNT module relies on a dynamic plugin architecture, retrieving additional capabilities from its command-and-control servers during execution. This design obscures the true intent of the backdoor during static analysis while enabling adaptive operations based on the attacker’s goals.

CXCLNT has been operational in attacks since at least 2022, and its successor, CLNTEND, first detected in 2024, offers an enhanced feature set to evade detection.

The connection between the VENOM and TIDRONE campaigns is reinforced by common victims, overlapping service providers, and shared command-and-control infrastructure, pointing to a singular threat actor responsible for both initiatives. The tactics, techniques, and procedures (TTPs) employed by this hacking group bear resemblance to methods used by Dalbit, a known Chinese nation-state actor, indicating a potential shared toolkit.

This sequence of operations suggests a strategic approach: initially leveraging low-cost and low-risk tools to establish access before shifting to tailored capabilities for more precise and impactful intrusions. A deeper understanding of this operational pattern is crucial for anticipating and mitigating future threats from this group.

In addition, recent disclosures by Seqrite Labs reveal a campaign named Swan Vector, targeting educational institutions and the mechanical engineering sector in Taiwan and Japan. This campaign utilized fake resume tactics in spear-phishing emails to distribute a DLL implant known as Pterois, which subsequently downloads Cobalt Strike shellcode.

Pterois is also designed to retrieve additional malware from cloud services like Google Drive, facilitating the execution of Cobalt Strike’s post-exploitation framework. This campaign is attributed to a medium-confidence East Asian threat actor.

Security analysts highlighted that this threat actor, active since December 2024, has targeted various hiring-related entities in Taiwan and Japan. The actor employs a range of custom-developed tools, including downloaders and shellcode-loaders, alongside Cobalt Strike. They have also integrated multiple evasion strategies—such as API hashing, direct system calls, function callbacks, DLL side-loading, and self-deletion—to minimize traces on compromised hosts.