A Chinese threat actor was seen disrupting the drone supply chain in multi-wave attacks against various organizations in Taiwan and South Korea, Trend Micro reports.
Dubbed Earth Ammit and believed to be tied to Chinese APTs, the hacking group was seen launching two attack campaigns between 2023 and 2024, targeting organizations across multiple sectors to compromise trusted supply chains.
Named Tidrone and Venom, the campaigns hit military, heavy industry, software services, satellite, technology, media, and healthcare organizations, using both open source and custom tools to achieve malicious goals.
The Tidrone campaign was initially detailed in September 2024, after the Chinese hackers were seen abusing enterprise resource planning (ERP) software and remote desktop access to deploy the Cxclnt and Clntend backdoors, steal information, and disable security protections.
In a fresh report, Trend Micro explains that the Venom campaign occurred prior to Tidrone, targeting service providers and technology companies in Taiwan, and heavy industry firms in South Korea.
“Earth Ammit’s strategy centered around infiltrating the upstream segment of the drone supply chain. By compromising trusted vendors, the group positioned itself to target downstream customers – demonstrating how supply chain attacks can ripple out and cause broad, global consequences,” Trend Micro notes.
Earth Ammit, the cybersecurity firm says, used a combination of two types of supply chain attack techniques in these campaigns: the group tampered with legitimate software used by the target companies and compromised upstream vendors to deliver malware to the connected systems.
The Venom campaign relied on web server vulnerability exploitation for webshell deployment, followed by the deployment of open source proxy tools and remote access tools to achieve persistence. Next, the attackers harvested credentials from the victim, to use them in attacks against downstream customers.
In Tidrone attacks, the hackers targeted service providers for code injection and the distribution of malware to their customers. Next, they deployed their customized backdoors for cyberespionage purposes, Trend Micro notes.
Follow-up activities included privilege escalation, establishing persistence, credential dumping, the disabling of security software, and information collection.
In addition to Cxclnt and Clntend, Earth Ammit used customized tools such as Screencap (screen capture tool) and Venfrpc (fast reverse proxy), both adapted from utilities available on GitHub. The threat actor was also seen relying on fiber-based techniques for evasion.
“In the Venom campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility, low cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward deploying custom-built malware – notably in the Tidrone campaign – to increase precision and stealth in targeting sensitive sectors,” Trend Micro notes.
Related: Chinese APT’s Adversary-in-the-Middle Tool Dissected
Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race
Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack
Related: AI Hallucinations Create a New Software Supply Chain Threat
