A sophisticated cyber-espionage group, Earth Ammit, has been linked to a pair of highly targeted hacking campaigns that spanned from 2023 to 2024, impacting critical sectors in Taiwan and South Korea. The group, believed to be connected to a Chinese-speaking nation-state, has been zeroing in on military, satellite, defense manufacturing, media, software services, and even healthcare organizations.
According to cybersecurity firm Trend Micro, the first wave—codenamed VENOM—focused on compromising upstream software service providers. The second, dubbed TIDRONE, was more surgical, aiming directly at the military and aerospace industries. Both campaigns leveraged supply chain attacks to infiltrate trusted networks and gain persistent access to high-value downstream targets.
Supply Chain Attacks, Drone Industries, and Advanced Malware Tools
Earth Ammit’s VENOM campaign exploited web server vulnerabilities to install web shells, ultimately deploying remote access tools (RATs) like Sliver and REVSOCK to maintain covert access. The group’s use of open-source tooling was likely an attempt to obscure attribution. The only unique malware observed during this phase was VENFRPC, a customized variant of FRPC—an open-source fast reverse proxy tool.
Trend Micro researchers Pierre Lee, Vickie Su, and Philip Chen said the group’s long-term strategy revolves around compromising upstream suppliers, particularly within the drone ecosystem, to gain deeper reach across national defense and infrastructure systems. VENOM served as the staging ground to harvest credentials, which were then weaponized in the next phase—TIDRONE.
TIDRONE attacks were executed in three key stages:
- Initial Access: Earth Ammit gained entry via the same upstream vectors, injecting malicious code and distributing malware to downstream customers.
- Command and Control: A custom DLL loader was used to deploy advanced backdoors like CXCLNT and CLNTEND.
- Post-Exploitation: The attackers escalated privileges, disabled antivirus tools using TrueSightKiller, established persistence, and installed SCREENCAP, a tool designed to silently capture screen content.
The modular structure of CXCLNT made static analysis difficult. It downloads additional plugins dynamically from its command-and-control (C2) server, enabling attackers to customize operations based on specific objectives. Its successor, CLNTEND, first spotted in 2024, is even stealthier and comes with broader evasion capabilities.
Both campaigns are linked through overlapping infrastructure and shared victim profiles, suggesting a single threat actor orchestrated the entire operation. Earth Ammit’s tactics and tooling also mirror those of another suspected Chinese state-backed group known as Dalbit (aka m00nlight).
Trend Micro emphasized that Earth Ammit’s playbook represents a deliberate and scalable strategy: start broad with low-cost tools to establish access, then escalate to bespoke malware for deep, targeted operations.
New Espionage Campaign Hits Taiwan and Japan’s Education Sector
The disclosure of Earth Ammit’s campaigns comes on the heels of another alarming revelation. Security researchers at Seqrite Labs have exposed Swan Vector, a cyber espionage operation targeting education institutions and engineering firms in Taiwan and Japan.
Swan Vector used fake resumes in spear-phishing emails to deliver a malicious DLL implant called Pterois, which then downloaded Cobalt Strike shellcode. The malware chain continued with Isurus, fetched from Google Drive, to execute further post-exploitation activities.
Researcher Subhajeet Singha said the group relies heavily on stealth techniques—DLL side-loading, direct syscalls, API hashing, and self-deletion—to evade detection and leave minimal trace. The actor, believed to be based in East Asia, has been active since December 2024 and is using custom loaders and shellcode droppers to breach secure systems.
