{ "id": "918b132f-6942-466e-add0-3716a62a26b6", "created_at": "2026-04-06T00:17:33.743836Z", "updated_at": "2026-04-10T03:30:57.850324Z", "deleted_at": null, "sha1_hash": "22b9507eb5bdf5edf59ddd5be0900a5619908126", "title": "Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12997301, "plain_text": "Earth Ammit Disrupts Drone Supply Chains Through Coordinated\r\nMulti-Wave Attacks in Taiwan\r\nBy By: Pierre Lee, Vickie Su, Philip Chen May 13, 2025 Read time: 14 min (3653 words)\r\nPublished: 2025-05-13 · Archived: 2026-04-05 14:37:18 UTC\r\nCyber Threats\r\nTrend™ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset\r\nused in its TIDRONE and VENOM campaigns that targeted the drone supply chain.\r\n \r\nSummary\r\nEarth Ammit, a threat actor linked to Chinese-speaking APT groups, launched two waves of campaigns\r\nfrom 2023 to 2024. The first wave, VENOM, mainly targeted software service providers, and the second\r\nwave, TIDRONE mainly targeted the military industry. In its VENOM campaign, Earth Ammit's approach\r\ninvolved penetrating the upstream segment of the drone supply chain.\r\nIn the VENOM campaign, the threat actors primarily relied on open-source tools due to low cost and\r\ndifficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in the TIDRONE\r\ncampaign for cyberespionage purposes.\r\nVictims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and South Korea,\r\naffecting a range of industries including military, satellite, heavy industry, media, technology, software\r\nservices, and healthcare sectors. Earth Ammit’s long-term goal is to compromise trusted networks via\r\nsupply chain attacks, allowing them to target high-value entities downstream and amplify their reach.\r\nOrganizations that fall prey to these attacks are also at risk of data theft, including exfiltration of\r\ncredentials and screenshots.\r\nOrganizations can mitigate supply chain and fiber-based attacks by managing third-party risks, enforcing\r\ncode signing, monitoring software behavior and fiber-related API usage, applying patches, segmenting\r\nvendor systems, adopting Zero Trust Architecture, and strengthening EDR and behavioral monitoring.\r\nThe malicious elements of Earth Ammit's dual campaigns are detected and blocked by Trend Vision One™.\r\nCustomers can also access hunting queries, threat insights, and threat intelligence reports to gain rich\r\ncontext and the latest updates on Earth Ammit.\r\nIn July 2024, we disclosed the TIDRONE campaign, in which threat actors targeted Taiwan’s military and satellite\r\nindustries. During our investigation, we discovered that multiple compromised entities were using the same\r\nenterprise resource planning (ERP) software. This led us to engage with the ERP vendor, through which we\r\nuncovered additional details that pointed to an earlier, related campaign – VENOM. Our findings were also\r\npresented at Black Hat Asia 2025 last month, where we discussed in depth Earth Ammit's tactics in the TIDRONE\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 1 of 20\n\nand VENOM campaigns, their targeted attacks on military sectors in Eastern Asia, and their possible ties to\r\nChinese-speaking cyber-espionage groups.\r\nThe VENOM campaign focused on a wide range of upstream vendors, spanning the heavy industry, media,\r\ntechnology, software services, and healthcare sectors. Figure 1 presents a consolidated timeline and visual\r\noverview from the attackers' perspective, illustrating both TIDRONE and VENOM campaigns conducted by the\r\nintrusion set Earth Ammit.\r\nFigure 1. The timeline of operations conducted by Earth Ammit\r\nOrange blocks on the timeline correspond to the VENOM campaign, active from 2023 to 2024, which\r\ncompromised service providers and technology companies in Taiwan, as well as heavy industry entities in\r\nSouth Korea. Earth Ammit’s strategy centered around infiltrating the upstream segment of the drone supply\r\nchain. By compromising trusted vendors, the group positioned itself to target downstream customers –\r\n demonstrating how supply chain attacks can ripple out and cause broad, global consequences.\r\nRed blocks in the timeline represent campaign TIDRONE, which targeted payment services, satellite\r\nindustries, and military industries in Taiwan in 2024 through the upstream supply chain. As we observed\r\nthe whole campaign, it could be traced back to 2022 for the earliest case that some unknown victim and\r\ncommunity from South Korea and Canada submitted the samples to the VirusTotal.\r\nVictimology\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 2 of 20\n\nFigure 2. The victimology of Earth Ammit\r\nIncorporating findings from the TIDRONE report published by AhnLab, the campaign’s victimology was\r\nprimarily concentrated in Taiwan and South Korea (Figure 2), affecting organizations across various sectors\r\nincluding heavy industry, media, technology, software services, healthcare, satellite and drone vendors, military-related suppliers, and payment service providers. In Taiwan, our telemetry indicated that several infected entities\r\nhad close ties to the military and drone industry, leading to the initial assessment that the operation may have been\r\nspecifically targeting the drone sector – an assumption that informed the direction of the subsequent investigation.\r\nSupply chain attack\r\nSupply chain attacks typically involve compromising trusted vendors or service providers to gain access to\r\ndownstream targets. In our analysis of the VENOM and TIDRONE campaigns, we observed two distinct types of\r\nsupply chain attack techniques, each with its own tactics and operational implications (Figure 3).\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 3 of 20\n\nPath A: Classic supply chain attack\r\nIn a classic supply chain attack, threat actors inject malicious code into legitimate software or replace software\r\nupdate packages with tampered versions. These compromised executables are then delivered to downstream\r\ncustomers under the guise of legitimate software. This traditional approach relies on the attacker’s ability to insert\r\nor replace code within the victim’s supply chain pipeline.\r\nPath B: General supply chain attack\r\nHowever, when code injection or update replacement is not feasible, attackers may adopt an alternative strategy.\r\nBy compromising upstream vendors, they can leverage trusted communication channels – such as remote\r\nmonitoring or IT management tools – to distribute malware across connected environments. This method, which\r\nwe refer to as a general supply chain attack, enables lateral movement from the upstream vendor to downstream\r\ntargets without altering any software artifacts.\r\nBoth VENOM and TIDRONE campaigns employed a combination of these techniques. This underscores the\r\nevolving nature of supply chain threats and the importance of monitoring not only software integrity but also\r\ntrusted network relationships and administrative access points within partner ecosystems.\r\nFigure 3. Two kinds of supply chain attacks were observed in Earth Ammit’s activities\r\nCampaign analysis - VENOM\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 4 of 20\n\nBased on our telemetry, the attacker exploited web server vulnerabilities and uploaded web shells in the initial\r\naccess phase. This method allowed the attackers to gain entry into the servers on the victim side. Following the\r\nsuccessful breach, the attackers progressed to the command and control phase. They utilized open-sourced proxy\r\ntools and remote access tools (RAT) to maintain persistence within the system. As noted previously, the attackers\r\nprefer to implement open-sourced tools rather than their own malware, a characteristic that prevents attribution by\r\nconcealing their activities (Figure 4).\r\nFigure 4. The threat actor utilized the open-source tools after access with the proxy tool (left) and\r\nbackdoor (right)\r\nOnce they had established persistence on the victim's machine, their next objective was to steal credentials from\r\nthe environment. In this stage, they targeted NTDS data from the victims. This data was leveraged to compromise\r\nthe next stage, representing the downstream customers, which is linked to the campaign TIDRONE.\r\nCampaign analysis - TIDRONE\r\nThe infection chain of the campaign TIDRONE is divided into three parts.\r\nInitial access\r\nInitially, the attackers targeted service providers, performing malicious code injection and distributing malware\r\nthrough trusted channels to downstream customers, much like in the campaign VENOM. This entire process\r\nserves as the initial access stage for the campaign TIDRONE (Figure 5).\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 5 of 20\n\nFigure 5. The campaign TIDRONE compromised the victim through a supply chain attack from the\r\nservice provider or upstream vendor\r\nCommand and control\r\nIn the second stage, the threat actors spread the customized backdoor for cyberespionage. Our research supposed\r\nthat the same loader can load two different kinds of payloads, which are backdoor CXCLNT and CLNTEND.\r\nNote that the flow chart in Figure 6 is just the rough version for illustration; the multiple layers of loading were\r\ndiscussed in the previous report on the TIDRONE campaign.\r\nFigure 6. The rough infection chain in campaign TIDRONE\r\nPost-exploitation\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 6 of 20\n\nTable 1 shows the activities and related logs observed in the victim’s environment. In the whole picture, threat\r\nactors mainly performed these behaviors.\r\nBehavior Related log and description\r\nPrivilege escalation\r\nPerform UAC Bypass and restart the process with the Winlogon process token.\r\n$ C:\\Windows\\SysWOW64\\reg.exe: add HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command /v DelegateExecute\r\n$ C:\\Windows\\SysWOW64\\reg.exe: add HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command /t REG_SZ /d\r\n\"C:\\ProgramData\\winword.exe\" /f\r\n$%APPDATA%\\.temp\\winsrv.exe\r\nPersistence\r\nRun a scheduled task.\r\nReplace the legitimate executable in a selected directory with an auto-run\r\nfeature.\r\nCredential dumping\r\nThe series of conventional commands to dump credentials via mimikatz.\r\n$ C:\\Windows\\Temp\\procdump.exe -accepteula -ma lsass.exe\r\n  lsass.dmp\r\n$ C:\\Windows\\SysWOW64\\cmdkey.exe /list\r\n$ C:\\Temp\\procwin.exe (Execute mimikatz)\r\nDisabling antivirus\r\nsoftware\r\nTrueSightKiller is a tool designed to terminate antivirus (AV) and endpoint\r\ndetection and response (EDR) processes. It allows attackers or red teamers to\r\nbypass security measures and disable targeted processes.\r\n$ mytemp$\\TrueSightKiller.exe -n smartscreen.exe\r\nInstall and run a\r\ncustomized tool to\r\ncollect the victim’s\r\ninformation\r\nmain.exe is a screenshot tool downloaded and installed by the CLNTEND\r\nbackdoor via remote shell.\r\n$ C:\\Temp\\main.exe\r\nTable 1. The behaviors and corresponding logs in Earth Ammit’s activities\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 7 of 20\n\nFigure 7. Post-exploitation was observed in the targeted machine\r\nMalware analysis\r\nAs introduced in the previous section, we knew that VENOM campaign preferred using open-source tools instead\r\nof their own customized tools to hide their footprint (Figure 8). There's only one customized tool called\r\nVENFRPC. This could be a strong characteristic of the attribution to the attacker. For the arsenal of campaign\r\nTIDRONE, it used many customized tools, like CXCLNT, CLNTEND, and SCREENCAP (Figure 9).\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 8 of 20\n\nFigure 8. The arsenal of the campaign VENOM, with open-source tools\r\nFigure 9. The arsenal of the campaign TIDRONE, with customized tools\r\nHacktool - VENFRPC\r\nIn the VENOM campaign, we observed a customized FRPC called VENFRPC that is slightly different from what\r\nwe usually see on GitHub, as the configuration is directly embedded into the file itself. From this configuration\r\nformat, we can see that the attacker tends to use the victim’s identification details to make it easier to recognize\r\ntheir targets. \r\nAs shown in Figure 10, this GitHub repository has hosted multiple VENFRPC. Each VENFRPC has its own\r\nconfiguration and corresponds to different victims for easy management.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 9 of 20\n\nFigure 10. VENFRPC configuration and the host GitHub\r\nLoader of CXCLNT/CLNTEND\r\nSince our previous report, we have observed further evolution of the attacks. In 2023, the attacker started to use\r\nthe fiber-based technique SwitchToFiber in their malware. In 2024, the loader switched to another fiber-based\r\ntechnique, FlsAlloc (Figure 11). Later the same year, the exception-handling technique also appeared in the\r\nmalware. Interestingly, these fiber-based techniques appeared around the same time, and they were presented at\r\nBlackHat USA 2023 and BlackHat Asia 2024 by the same speaker, Daniel Jary. These talks likely inspired the\r\nthreat actors to update their skill sets by developing fiber-based techniques to evade detection and monitoring.\r\nFigure 11. The evolution of the loader from 2023 to 2024\r\nBased on our telemetry, we have identified three distinct versions of the loader.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 10 of 20\n\nVariant A - ConvertThreadToFiber\r\nIn this variant, the API ConvertThreadToFiber is applied to convert the current thread into a fiber, and allow it to\r\nswitch to other fibers. Then, CreateFiber would create a new fiber within the same thread. The malicious code is\r\nplaced at the fiber structure offset + 0xC4 in hex. Finally, SwitchToFiber switches execution to the new fiber and\r\nruns the malicious code (Figure 12).\r\nFigure 12. The fiber-based technique in the loader with variant A\r\nVariant B - FlsAlloc\r\nFlsAlloc registers a fiber object’s callback function. When the object is freed or deleted, the callback function will\r\nbe triggered and execute the malicious code (Figure 13).\r\nFigure 13. The fiber-based technique in the loader with variant B\r\nVariant C - Exception\r\nThis technique leverages the exception handler, when the exception is triggered, the malicious code inside the\r\ncustom handler function will be executed. As shown as Figure 14 and Figure 15, the custom exception handler\r\nwould be triggered when the exception occurred, then it executes the payload by the callback function called by\r\nImmEnumInputContext.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 11 of 20\n\nFigure 14. Custom exception handler installation\r\nFigure 15. Custom exception handler\r\nAnti-analysis\r\nIn addition to the fiber-based technique, there are two interesting anti-analysis techniques observed in the loader\r\nevolution.\r\nTechnique 1 - Entrypoint verification via GetModuleHandle and XOR check\r\nThis anti-analysis technique uses GetModuleHandle to retrieve information about the current process. Later, xor\r\nwith specific bytes checks whether the entry point matched the expected target process (Figure 16).\r\nFigure 16. Anti-analysis through checking the expected parent process.\r\nTechnique 2 - Execution order dependency thwarts analysis attempts\r\nThis anti-analysis technique requires the correct order to execute the export functions (Figure 17). Since this\r\nloader distributes its decryption function and payload execution into different export functions, the process fails if\r\nthe running order of export functions is wrong or applying rundll32.exe executes a specific export function.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 12 of 20\n\nFigure 17. Export functions sequence defined by the legitimate host process\r\nCXCLNT backdoor\r\nOur telemetry data indicates that the CXCLNT backdoor has been applied since at least 2022. Notably, it operates\r\nentirely in memory with EXE format, never writing itself to disk, which enhances its stealth and makes detection\r\nsignificantly more challenging. For communication, it supports two traffic parsing methods: a custom protocol\r\nover SSL and standard HTTPS, allowing it to blend into legitimate encrypted traffic.\r\nCXCLNT's core functionality is dependent on a modular plugin system. Upon execution, it retrieves additional\r\nplugins from its C\u0026C server to extend its capabilities dynamically. This architecture not only obscures the\r\nbackdoor’s true purpose during static analysis but also enables flexible, on-demand operations based on the\r\nattacker’s objectives.\r\nBased on our hunting records, CXCLNT can be traced back to be used since 2022. It doesn’t exist as a file;\r\ninstead, it’s decompressed and executed in memory. For network traffic, it supports two connection methods to\r\nparse traffic: one is SSL with custom protocol, and the other is using HTTPS. The main functionality depends on\r\nan extra plugin received from the C\u0026C server. It makes analysis difficult to figure out the backdoor purpose,\r\nand easy to hide the intention.\r\nBackdoor command\r\nCXCLNT’s command set is categorized into two main types: general and plugin manipulation\r\nGeneral manipulation\r\nThe commands shown in Table 2 cover fundamental backdoor functions commonly seen in other malware, such as\r\nsystem reconnaissance, updating embedded configurations, and executing shell commands on the compromised\r\nhost.\r\nBackdoor\r\ncommand\r\nBehaviors\r\n0x1001\r\nSend victim information to C\u0026C server, including:\r\nBIOS\r\nComputer name\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 13 of 20\n\nconfig mark\r\nhost IP\r\nOS\r\n0x1002 Turn off backdoor\r\n0x1003 SetEvent and turn off the backdoor\r\n0x1004 Receive shellcode from C\u0026C server\r\n0x1005\r\nClear footprints\r\nDelete loader and encrypted payload\r\nDelete service \r\n0x1006\r\nUpdate the C\u0026C server and write the encrypt C\u0026C into registry\r\nsoftware\\\\classes\\\\Licenses\\\\\r\nTable 2. The backdoor command of CXCLNT in the general category\r\nPlugin manipulation\r\nCXCLNT supports runtime plugin installation, allowing the C\u0026C server to deploy specialized modules as needed.\r\nThese plugins can extend the backdoor’s capabilities temporarily and are fully removable once their task is\r\ncomplete (Table 3). This plugin-based design supports a wide range of malicious operations while minimizing the\r\nbackdoor’s static footprint.\r\nBackdoor command Behaviors\r\n0x2001 Receive the size of plugin\r\n0x2002 Receive the payload of plugin\r\n0x2003 Load plugin and write function into backdoor command: 0x2004-0x2007\r\n0x2004 Unknown\r\n0x2005 Call export function of plugin: Init\r\n0x2006 Call export function of plugin: DeleteInstance\r\n0x2007 Call export function of plugin: GetInstance\r\nTable 3. The backdoor command of CXCLNT in the plugin manipulation category\r\nCLNTEND backdoor\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 14 of 20\n\nCLNTEND, first observed in 2024, is the evolved successor of the CXCLNT backdoor. Like its previous version,\r\nCLNTEND executes entirely in memory to evade detection, but it is delivered in the form of a DLL. This version\r\nimplemented many features to adapt to various attack scenarios. One of CLNTEND’s key improvements is its\r\ndual-mode design – supporting both client and server modes – based on the embedded configuration. It also\r\nsupports a broader range of communication protocols, including:\r\nHTTP\r\nHTTPS\r\nSMB (port 445)\r\nTCP\r\nTLS\r\nUDP\r\nWebSocket\r\nTo hide its footprint, CLNTEND also includes anti-detection features such as process injection into dllhost.exe, a\r\nlegitimate Windows process, and disabling EDR solutions.\r\nCLNTEND organizes its capabilities into three primary command categories:\r\nLink - The link module provides the capability to choose one from seven kinds of connection methods and\r\nalternate the backdoor mode between client and server.\r\nPlugin - The plugin manipulation is similar to the first version CXCLNT, but only keeps two export\r\nfunctions, GetInstance and DeleteInstance.\r\nSession - It injected the remote shell into dllhost.exe. In one of our observed behaviors, we saw the\r\ncommands are executed under winword.exe. In normal situations, winword.exe rarely executes cmd.exe\r\ndirectly, so we believe this injection is a technique used to evade detection or escalate privileges.\r\nComparison - CXCLNT vs CLNTEND\r\nThe comparison table for CXCLNT and CLNTED is shown in Table 4. CLNTEND does not only support more\r\nconnection methods, but also equips more functionalities against AV solutions.\r\n  CXCLNT CLNTEND\r\nActive time 2022 ~ 2024 2024 ~\r\nType EXE DLL\r\nVictim information\r\nComputerName\r\nOS\r\nHost IP\r\nNet BIOS\r\nComputerName\r\nOS\r\nUserName\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 15 of 20\n\nConnection method\r\nHTTPS\r\nSSL\r\nTCP, HTTP, HTTPS, TLS, SMB (port:445),\r\nUDP, WebSocket\r\nAnti-EDR N/A\r\nEDRSilence\r\nBlindside\r\nFunctionality Client\r\nServer\r\nClient\r\nBackdoor module General, Plugin Plugin, Session, Link\r\nPlugin export function\r\nInit\r\nGetInstance\r\nDeleteInstance\r\nGetInstance\r\nDeleteInstance\r\nTable 4. The comparison of features between CXCLNT and CLNTEND\r\nWe also found some similarities between the two backdoors. Both have a function that collects the victim’s\r\ninformation for calculating a victim hash. This if-else statement indicates two modes: one is for testing, and\r\nanother is for executing in the victim’s environment. This flag is in the embedded configuration to control which\r\nmode is enabled (Figure 18).\r\nFigure 18. A similar code flows in the if-else statement to choose the mode in the infected\r\nenvironment\r\nTrojanSpy - SCREENCAP\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 16 of 20\n\nAnother customized tool is ScreenCap, a screen capture tool installed by the CLNTEND backdoor through remote\r\nshell (Figure 19). It’s adapted from an open-source tool, which can be found on the GitHub repository “vova616”.\r\nIt sends the victim’s screenshots back to the C\u0026C server.\r\nFigure 19. The main code structure inside the ScreenCap\r\nAttribution\r\nOur analysis links the VENOM and TIDRONE campaigns (Figure 20) through two primary indicators:\r\nShared victims and service providers - Several organizations appear in both campaigns, indicating a\r\nsustained interest by the threat actor in specific entities across multiple operations.\r\nOverlapping C\u0026C infrastructure - The use of common C\u0026C domains, including the notably named\r\nfuckeveryday[.]life, further strengthening the connection.\r\nThese overlaps strongly suggest that both VENOM and TIDRONE were orchestrated by the same threat actor or\r\ngroup.\r\nFor attribution, the attacker might be launched by a Chinese-speaking threat actor with these observations:\r\nTimestamps from file compilation and command execution logs align with the GMT+8 time zone, which\r\ncorresponds to regions such as China, Taiwan, and parts of Southeast Asia.\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 17 of 20\n\nThe attacker’s tactics, techniques, and procedures (TTPs) – as well as their target profile – bear\r\nresemblance to those used by Dalbit, a threat group previously reported by AhnLab. While we do not claim\r\ndefinitive attribution, the operational similarities are notable and suggest a potential connection or shared\r\ntoolkit.\r\nFigure 20. The relation and overlap connecting the VENOM and TIDRONE campaigns\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 18 of 20\n\nConclusion\r\nOur investigation into the VENOM and TIDRONE campaigns reveals several key trends in Earth Ammit’s\r\nevolving tradecraft. First, we observed a growing reliance on fiber-based evasion techniques across their malware\r\narsenal – an approach designed to bypass traditional detection mechanisms more effectively. Second, both\r\ncampaigns carry out supply chain attacks across two distinct attack waves. This highlights the adversary’s long-term objective of infiltrating trusted networks to reach high-value targets. Continued monitoring of their\r\ninfrastructure and toolset is essential to anticipate their next move.\r\nIn the VENOM campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility,\r\nlow cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward\r\ndeploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth in\r\ntargeting sensitive sectors.\r\nThis progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access,\r\nthen pivot to tailored capabilities for more targeted and impactful intrusions. Understanding this operational\r\npattern will be critical in predicting and defending against future threats from this actor.\r\nTo mitigate the risk of supply chain attacks, organizations may implement a third-party risk management program\r\nto assess vendors, verify software with Software Bills of Materials (SBOMs), enforce code signing, continuously\r\nmonitor third-party software behavior, apply patches promptly, segment vendor systems, include third-party\r\nbreach scenarios in incident response plans, and adopt Zero Trust Architecture to validate every connection. \r\nOrganizations may also better protect themselves from fiber-based techniques by monitoring the use of fiber-related APIs (such as ConvertThreadToFiber and CreateFiber) to detect abnormal behavior, strengthening EDR\r\nsolutions to recognize fiber-based anomalies, and enhancing behavioral monitoring to identify unusual execution\r\npatterns typical of fiber-based malware.\r\nProactive security with Trend Vision One™ \r\nOrganizations can protect themselves from threats like these with Trend Vision One™ – the only AI-powered\r\nenterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust\r\nlayered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive\r\nsecurity outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend\r\nCybertron, the industry's first proactive cybersecurity AI, it delivers proven results: a 92% reduction in\r\nransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and\r\nshowcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security\r\nblind spots, focus on what matters most, and elevate security into a strategic partner for innovation.\r\nTrend Micro™ Threat Intelligence \r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which\r\nprovides the latest insights from Trend Research on emerging threats and threat actors. \r\nTrend Vision One Threat Insights\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 19 of 20\n\nThreat Actors: Earth Ammit \r\nEmerging Threats:  Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks\r\nin Taiwan  \r\nTrend Vision One Intelligence Reports (IOC Sweeping)\r\nEarth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan\r\nHunting Queries \r\nTrend Vision One Search App\r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.   \r\nMalware Detection for Earth Ammit Activities\r\neventName:MALWARE_DETECTION AND (malName:*VENFRPC* OR malName:*CXCLNT* OR\r\nmalName:*CLNTEND* OR malName :*SCREENCAP*)\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled. \r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nWith additional insights from Cyris Tseng and Leon M Chang.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nhttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html" ], "report_names": [ "earth-ammit.html" ], "threat_actors": [ { "id": "7f0f8bbd-b91a-4e0d-9717-7ba87a101eb6", "created_at": "2024-09-20T02:00:04.568566Z", "updated_at": "2026-04-10T02:00:03.691713Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [ "Earth Ammit" ], "source_name": "MISPGALAXY:TIDRONE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be5d552a-cb31-4c76-be8a-9b01e8914109", "created_at": "2025-06-29T02:01:56.980287Z", "updated_at": "2026-04-10T02:00:04.659383Z", "deleted_at": null, "main_name": "Earth Ammit", "aliases": [], "source_name": "ETDA:Earth Ammit", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "21268fa8-7e4a-4cee-bb4f-cd26f9ae3de6", "created_at": "2024-10-25T02:02:07.979938Z", "updated_at": "2026-04-10T02:00:04.937108Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [], "source_name": "ETDA:TIDRONE", "tools": [ "CLNTEND", "CXCLNT" ], "source_id": "ETDA", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22b9507eb5bdf5edf59ddd5be0900a5619908126.pdf", "text": "https://archive.orkl.eu/22b9507eb5bdf5edf59ddd5be0900a5619908126.txt", "img": "https://archive.orkl.eu/22b9507eb5bdf5edf59ddd5be0900a5619908126.jpg" } }