A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
Cybersecurity firm Trend Micro said the first wave, codenamed VENOM, mainly targeted software service providers, while the second wave, referred to as TIDRONE, singled out the military industry. Earth Ammit is assessed to be connected to Chinese-speaking nation-state groups.
“In its VENOM campaign, Earth Ammit’s approach involved penetrating the upstream segment of the drone supply chain,” security researchers Pierre Lee, Vickie Su, and Philip Chen said. “Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach.”
The TIDRONE campaign was first exposed by Trend Micro last year, detailing the cluster’s attacks on drone manufacturers in Taiwan to deliver custom malware such as CXCLNT and CLNTEND. A subsequent report from AhnLab in December 2024 detailed the use of CLNTEND against South Korean companies.
The attacks are noteworthy for targeting the drone supply chain, leveraging enterprise resource planning (ERP) software to breach the military and satellite industries. Select incidents have also involved the use of trusted communication channels – such as remote monitoring or IT management tools – to distribute the malicious payloads.
The VENOM campaign, per Trend Micro, is characterized by the exploitation of web server vulnerabilities to drop web shells, and then weaponize the access to install remote access tools (RAT) for persistent access to the compromised hosts. The use of open-source tools like REVSOCK and Sliver in the attacks is seen as a deliberate attempt to cloud attribution efforts.
The only bespoke malware observed in the VENOM campaign is VENFRPC, a customized version of FRPC, which, in itself, is a modified version of the open-source fast reverse proxy (FRP) tool.
The end goal of the campaign is to harvest credentials from the breached environments and use the stolen information as a stepping stone to inform the next phase, TIDRONE, aimed at downstream customers. The TIDRONE campaign is spread over three stages –
Initial access, which mirrors the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers
Command-and-control, which makes use of a DLL loader to drop CXCLNT and CLNTEND backdoors
Post-exploitation, which involves setting up persistence, escalating privileges, disabling antivirus software using TrueSightKiller, and installing a screenshot-capturing tool dubbed SCREENCAP using CLNTEND
“CXCLNT’s core functionality is dependent on a modular plugin system. Upon execution, it retrieves additional plugins from its C&C server to extend its capabilities dynamically,” Trend Micro said. “This architecture not only obscures the backdoor’s true purpose during static analysis but also enables flexible, on-demand operations based on the attacker’s objectives.”
CXCLNT is said to have been put to use in attacks since at least 2022. CLNTEND, first detected in 2024, is its successor and comes with an expanded set of features to sidestep detection.
The connection between VENOM and TIDRONE stems from shared victims and service providers and overlapping command-and-control infrastructure, indicating that a common threat actor is behind both campaigns. Trend Micro said the hacking crew’s tactics, techniques, and procedures (TTPs) resemble those used by another Chinese nation-state hacking group tracked as Dalbit (aka m00nlight), suggestive of a shared toolkit.
“This progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access, then pivot to tailored capabilities for more targeted and impactful intrusions,” the researchers said. “Understanding this operational pattern will be critical in predicting and defending against future threats from this actor.”
Japan and Taiwan Targeted by Swan Vector
The disclosure comes as Seqrite Labs disclosed details of a cyber espionage campaign dubbed Swan Vector that has targeted educational institutes and the mechanical engineering industry in Taiwan and Japan with fake resume lures distributed via spear-phishing emails to deliver a DLL implant called Pterois, which is then used to download the Cobalt Strike shellcode.
Pterois is also engineered to download from Google Drive another malware referred to as Isurus that’s then responsible for executing the Cobalt Strike post-exploitation framework. The campaign has been attributed to an East Asian threat actor with medium confidence.
“The threat actor is based out of East Asia and has been active since December 2024 targeting multiple hiring-based entities across Taiwan and Japan,” security researcher Subhajeet Singha said.
“The threat actor relies on custom development of implants comprising of downloader, shellcode-loaders, and Cobalt Strike as their key tools with heavily relying on multiple evasion techniques like API hashing, direct-syscalls, function callback, DLL side-loading, and self-deletion to avoid leaving any sort of traces on the target machine.”
