Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan
Summary:
Between 2023 and 2024, the Chinese-speaking threat group Earth Ammit conducted two sophisticated cyberespionage campaigns known as VENOM and TIDRONE. These operations targeted upstream vendors to compromise downstream entities through supply chain attacks. The VENOM campaign focused on software service providers in Taiwan and South Korea, leveraging web server vulnerabilities and deploying open-source tools such as web shells and proxy utilities to maintain stealth and avoid attribution. Affected sectors included heavy industry, media, technology, and healthcare. As the operation matured, Earth Ammit transitioned to more advanced tactics in the TIDRONE campaign, which targeted military and satellite industries in Taiwan using custom malware including the CXCLNT and CLNTEND backdoors and a screen capture utility named SCREENCAP. These tools executed in memory, employed fiber-based evasion techniques, and used modular plugin architectures to extend functionality dynamically.
In both campaigns, the attackers gained initial access by compromising trusted vendors or service providers, then distributed malware through legitimate channels or software update mechanisms. VENOM primarily involved persistence and credential theft, while TIDRONE introduced advanced techniques such as privilege escalation, antivirus evasion, and process injection into legitimate Windows services like dllhost.exe. Analysis of telemetry confirmed shared victims, infrastructure, and tactics between the campaigns, reinforcing the assessment that both operations were conducted by the same threat actor. The TIDRONE loaders incorporated anti-analysis features and novel fiber-based APIs, including SwitchToFiber, FlsAlloc, and exception-based execution, which complicate traditional detection methods. Earth Ammit also used a custom tool called VENFRPC, embedded with unique identifiers for victim tracking and management.
Security Officer Comments:
Attribution indicators such as file timestamps aligned with GMT+8, targeting patterns, and tactics resembling those of the Dalbit group suggest Earth Ammit is likely based in China, Taiwan, and parts of Southeast Asia.. The campaigns were publicly disclosed at Black Hat Asia 2025 and demonstrate the group’s intent to infiltrate trusted networks and access high-value downstream targets.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/IOCs_Earth-Ammitxael9qX.txt
To mitigate the risk of supply chain attacks, organizations may implement a third-party risk management program to assess vendors, verify software with Software Bills of Materials (SBOMs), enforce code signing, continuously monitor third-party software behavior, apply patches promptly, segment vendor systems, include third-party breach scenarios in incident response plans, and adopt Zero Trust Architecture to validate every connection. Organizations may also better protect themselves from fiber-based techniques by monitoring the use of fiber-related APIs (such as ConvertThreadToFiber and CreateFiber) to detect abnormal behavior, strengthening EDR solutions to recognize fiber-based anomalies, and enhancing behavioral monitoring to identify unusual execution patterns typical of fiber-based malware.
Link(s):
https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html
Between 2023 and 2024, the Chinese-speaking threat group Earth Ammit conducted two sophisticated cyberespionage campaigns known as VENOM and TIDRONE. These operations targeted upstream vendors to compromise downstream entities through supply chain attacks. The VENOM campaign focused on software service providers in Taiwan and South Korea, leveraging web server vulnerabilities and deploying open-source tools such as web shells and proxy utilities to maintain stealth and avoid attribution. Affected sectors included heavy industry, media, technology, and healthcare. As the operation matured, Earth Ammit transitioned to more advanced tactics in the TIDRONE campaign, which targeted military and satellite industries in Taiwan using custom malware including the CXCLNT and CLNTEND backdoors and a screen capture utility named SCREENCAP. These tools executed in memory, employed fiber-based evasion techniques, and used modular plugin architectures to extend functionality dynamically.
In both campaigns, the attackers gained initial access by compromising trusted vendors or service providers, then distributed malware through legitimate channels or software update mechanisms. VENOM primarily involved persistence and credential theft, while TIDRONE introduced advanced techniques such as privilege escalation, antivirus evasion, and process injection into legitimate Windows services like dllhost.exe. Analysis of telemetry confirmed shared victims, infrastructure, and tactics between the campaigns, reinforcing the assessment that both operations were conducted by the same threat actor. The TIDRONE loaders incorporated anti-analysis features and novel fiber-based APIs, including SwitchToFiber, FlsAlloc, and exception-based execution, which complicate traditional detection methods. Earth Ammit also used a custom tool called VENFRPC, embedded with unique identifiers for victim tracking and management.
Security Officer Comments:
Attribution indicators such as file timestamps aligned with GMT+8, targeting patterns, and tactics resembling those of the Dalbit group suggest Earth Ammit is likely based in China, Taiwan, and parts of Southeast Asia.. The campaigns were publicly disclosed at Black Hat Asia 2025 and demonstrate the group’s intent to infiltrate trusted networks and access high-value downstream targets.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/IOCs_Earth-Ammitxael9qX.txt
To mitigate the risk of supply chain attacks, organizations may implement a third-party risk management program to assess vendors, verify software with Software Bills of Materials (SBOMs), enforce code signing, continuously monitor third-party software behavior, apply patches promptly, segment vendor systems, include third-party breach scenarios in incident response plans, and adopt Zero Trust Architecture to validate every connection. Organizations may also better protect themselves from fiber-based techniques by monitoring the use of fiber-related APIs (such as ConvertThreadToFiber and CreateFiber) to detect abnormal behavior, strengthening EDR solutions to recognize fiber-based anomalies, and enhancing behavioral monitoring to identify unusual execution patterns typical of fiber-based malware.
Link(s):
https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html