Earth Ammit Strikes Drone Supply Chains: VENOM and TIDRONE Campaigns Expose East Asia’s Critical Infrastructure
Ddos 
The threat actor utilized the open-source tools after access with the proxy tool (left) and backdoor (right) | Image: Trend Micro
rend Micro researchers have uncovered the full extent of an elaborate, multi-phase cyber-espionage operation attributed to Earth Ammit, a threat actor linked to Chinese-speaking APT groups. Dubbed VENOM and TIDRONE, these dual campaigns span from 2023 into 2024, targeting critical infrastructure and industries across Taiwan and South Korea—with a primary focus on military, satellite, and drone supply chains.
“Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach,” noted Trend Micro.
The VENOM campaign focused on compromising upstream service providers—such as software companies, healthcare entities, and industrial vendors—with the objective of penetrating the drone supply chain.
Attackers exploited vulnerable web servers, installed web shells, and relied heavily on open-source tools to establish persistence while evading attribution.
“The attackers prefer to implement open-sourced tools rather than their own malware, a characteristic that prevents attribution by concealing their activities,” wrote Trend Micro.
The campaign culminated in the use of a customized proxy tool, VENFRPC, embedded with victim-specific configurations hosted on GitHub—showcasing a blend of low-cost tooling and tailored control.
Following VENOM, TIDRONE marked a strategic escalation. The campaign shifted toward custom-built malware such as CXCLNT and CLNTEND, designed to perform advanced cyberespionage, data theft, and surveillance within military and satellite networks.
“In the VENOM campaign, Earth Ammit primarily leveraged open-source tools… they shifted toward deploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth,” the report warns.
TIDRONE’s infection chain includes:
- Supply Chain Initial Access – leveraging trusted vendors to distribute malware.
- Command and Control – using loaders and backdoors with fiber-based execution (e.g., SwitchToFiber, FlsAlloc) and anti-analysis evasion.
- Post-Exploitation – utilizing Mimikatz, TrueSightKiller, credential dumping, process injection, and screen-capture tools like SCREENCAP.
The CXCLNT backdoor, in use since at least 2022, operates entirely in memory, using HTTPS and custom SSL channels. It dynamically loads plugins to perform system reconnaissance, shellcode execution, and data exfiltration.
Its successor, CLNTEND, debuted in 2024 as a DLL-based memory-resident backdoor. It introduced dual-mode operation (client/server), broader protocol support (including SMB, TLS, and WebSocket), and new anti-EDR features such as process injection into dllhost.exe.
“CLNTEND organizes its capabilities into three primary command categories: Link, Plugin, and Session… supporting stealthy remote shells and flexible malware control,” explained the report.
The VENOM and TIDRONE campaigns share C2 infrastructure, overlapping victims, and a strategic focus on the drone ecosystem in Taiwan. Trend Micro attributes these operations to a Chinese-speaking threat actor, citing GMT+8 time zone metadata and similarities to Dalbit, a known espionage group.
“These overlaps strongly suggest that both VENOM and TIDRONE were orchestrated by the same threat actor or group,” wrote the report.
Interestingly, Earth Ammit appears to have adopted fiber-based evasion techniques shortly after they were presented at BlackHat 2023 and 2024.
Earth Ammit’s VENOM and TIDRONE campaigns illustrate the escalating sophistication of supply chain intrusions and malware evasion techniques in the Asia-Pacific region.
Donate