Chinese-speaking Earth Ammit APT linked to espionage campaigns targeting Taiwan and South Korea

Chinese-speaking Earth Ammit APT linked to espionage campaigns targeting Taiwan and South Korea

A Chinese-speaking advanced persistent threat (APT) group known as Earth Ammit has been linked to two sophisticated cyberespionage campaigns dubbed ‘VENOM’ and ‘TIDRONE,’carried out between 2023 and 2024. The campaigns employed supply chain attacks targeting organizations in Taiwan and South Korea, spanning critical industries from military to healthcare.

The VENOM campaign, identified as the earlier wave, primarily targeted software service providers and upstream vendors in sectors including heavy industry, technology, media, and healthcare. Earth Ammit relied heavily on open-source tools to reduce cost and avoid detection. Initial access was gained through web server vulnerabilities, followed by web shell deployments. Once inside, attackers established persistence using proxy and remote access tools, and escalated privileges by stealing NTDS credential data, which in turn facilitated lateral movement toward downstream targets.

In particular, Earth Ammit targeted entities connected to Taiwan's drone industry. The use of remote monitoring and IT management tools allowed the attackers to stealthily propagate malware without modifying legitimate software.

First spotted in July 2024, the TIDRONE campaign involved more custom-built tools, including CXCLNT and CLNTEND that are specially designed backdoors used for espionage. The campaign predominantly targeted Taiwan’s military and satellite sectors. Trend Micro's investigation revealed that multiple victims were using the same enterprise resource planning (ERP) software, which served as a key intrusion vector.

The infection chain in TIDRONE involved three stages:

  • Malicious code injection into trusted service providers

  • Malware distribution via those channels to downstream organizations

  • Deployment of custom backdoors for surveillance and data theft

The analysis found overlapping command-and-control (C&C) infrastructure and shared victims across both campaigns, indicating a concerted and long-term campaign by Earth Ammit.

“In the VENOM campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility, low cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward deploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth in targeting sensitive sectors,” the researchers noted. “This progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access, then pivot to tailored capabilities for more targeted and impactful intrusions. Understanding this operational pattern will be critical in predicting and defending against future threats from this actor.”

Back to the list

Latest Posts

Cyber Security Week in Review: June 20, 2025

Cyber Security Week in Review: June 20, 2025

In brief: the Langflow, TP-Link and Zyxel flaws exploited in the wild, Russian hackers use ASPs to infiltrate victims’ email accounts, and more
20 June 2025
Russian-linked hackers exploit Google App passwords in email espionage campaign

Russian-linked hackers exploit Google App passwords in email espionage campaign

Victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
19 June 2025
FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025