A Chinese-speaking advanced persistent threat (APT) group known as Earth Ammit has been linked to two sophisticated cyberespionage campaigns dubbed ‘VENOM’ and ‘TIDRONE,’carried out between 2023 and 2024. The campaigns employed supply chain attacks targeting organizations in Taiwan and South Korea, spanning critical industries from military to healthcare.
The VENOM campaign, identified as the earlier wave, primarily targeted software service providers and upstream vendors in sectors including heavy industry, technology, media, and healthcare. Earth Ammit relied heavily on open-source tools to reduce cost and avoid detection. Initial access was gained through web server vulnerabilities, followed by web shell deployments. Once inside, attackers established persistence using proxy and remote access tools, and escalated privileges by stealing NTDS credential data, which in turn facilitated lateral movement toward downstream targets.
In particular, Earth Ammit targeted entities connected to Taiwan's drone industry. The use of remote monitoring and IT management tools allowed the attackers to stealthily propagate malware without modifying legitimate software.
First spotted in July 2024, the TIDRONE campaign involved more custom-built tools, including CXCLNT and CLNTEND that are specially designed backdoors used for espionage. The campaign predominantly targeted Taiwan’s military and satellite sectors. Trend Micro's investigation revealed that multiple victims were using the same enterprise resource planning (ERP) software, which served as a key intrusion vector.
The infection chain in TIDRONE involved three stages:
-
Malicious code injection into trusted service providers
-
Malware distribution via those channels to downstream organizations
-
Deployment of custom backdoors for surveillance and data theft
The analysis found overlapping command-and-control (C&C) infrastructure and shared victims across both campaigns, indicating a concerted and long-term campaign by Earth Ammit.
“In the VENOM campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility, low cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward deploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth in targeting sensitive sectors,” the researchers noted. “This progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access, then pivot to tailored capabilities for more targeted and impactful intrusions. Understanding this operational pattern will be critical in predicting and defending against future threats from this actor.”
