{ "id": "3e95ec71-7c7e-43f3-bbdc-6c01ed768ffa", "created_at": "2026-04-06T00:13:55.331395Z", "updated_at": "2026-04-10T03:30:45.975193Z", "deleted_at": null, "sha1_hash": "46173674162a5872ab8345f4eaae6d8843ab7ee1", "title": "TIDRONE Targets Military and Satellite Industries in Taiwan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2074820, "plain_text": "TIDRONE Targets Military and Satellite Industries in Taiwan\r\nBy By: Pierre Lee, Vickie Su Sep 06, 2024 Read time: 6 min (1589 words)\r\nPublished: 2024-09-06 · Archived: 2026-04-05 12:47:57 UTC\r\nSummary\r\nTIDRONE, an unidentified threat actor linked to Chinese-speaking groups, has demonstrated significant interest\r\nin military-related industry chains, especially in the manufacturers of drones’ sector in Taiwan.\r\nThe threat cluster uses enterprise resource planning (ERP) software or remote desktops to deploy advanced\r\nmalware toolsets such as the CXCLNT and CLNTEND.\r\nCXCLNT has basic upload and download file capabilities, along with features for clearing traces, collecting\r\nvictim information such as file listings and computer names, and downloading additional portable executable (PE)\r\nfiles for execution.\r\nCLNTEND is a newly discovered remote access tool (RAT) that was used this April and supports a wider range of\r\nnetwork protocols for communication.\r\nDuring the post-exploitation phase, telemetry logs revealed user account control (UAC) bypass techniques,\r\ncredential dumping, and hacktool usage to disable antivirus products.\r\nIntroduction\r\nSince the beginning of 2024, we have been receiving incident response cases from Taiwan. We track this unidentified\r\nthreat cluster as TIDRONE. Our research reveals that the threat actors have shown significant interest in military-related\r\nindustry chains, particularly in the manufacturers of drones. Furthermore, telemetry from VirusTotalopen on a new tab\r\nindicates that the targeted countries are varied; thus, everyone should stay vigilant of this threat.\r\nThis report also investigates the latest TTPs and the evolution of tools like CXCLNT and CLNTEND, presenting the\r\nattack chain to illustrate the threat actor's behavior within victims' systems. The TTPs confirm that the threat actors have\r\nconsistently updated their arsenal and optimized the attack chain. Notably, anti-analysis techniques are employed in their\r\nloaders, such as verifying the entry point address from the parent process and hooking widely-used Application\r\nProgramming Interfaces (APIs) like GetProcAddress to alter the execution flow.\r\nFigure 1. Timeline of campaign launched by TIDRONE\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 1 of 9\n\nExecution Flow\r\nBased on how the malware set was deployed into the victim's environment, we can infer that it likely leveraged other\r\ntools to infiltrate the system some time ago and has now progressed to the lateral movement stage.\r\nIn this case study we reviewed CXCLNT/CLNTEND and its related components, including the launcher and a\r\nlegitimate executable for side-loading, which were downloaded via UltraVNC, a program that allows users to remotely\r\ncontrol the server computer using their mouse and keyboard. During our investigation, we discovered the same ERP\r\nsystem was present in the environments of different victims, suggesting that the malware might be distributed through a\r\nsupply chain attack.\r\nAfter executing winsrv.exe, the malware copies the token from Winlogon.exe to escalate privileges and perform\r\nmalicious activities. The original Update.exe located in a chosen directory is then replaced with one provided by the\r\nthreat actors. During the post-exploitation phase, we observed UAC Bypass, credential dumping, and usage of commands\r\naimed at disabling antivirus productsopen on a new tab, as seen in the telemetry logs.\r\nFigure 2. Execution flow of CLNTEND\r\nTechnical Analysis\r\nThis section will further explain the toolsets this threat cluster uses, such as malware CXCLNT and CLNTEND, and the\r\nTTPs we found between previous activities (A) and recent activities (B) as shown in the illustration below.\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 2 of 9\n\nFigure 3. Execution flow between previous and recent activities involving CXCLNT and CLNTEND\r\nLoaders\r\nWe have identified two kinds of loaders from VirusTotal and the client side, which each correspond to one infection\r\nchain. In this first version (A in Figure 3), the loaders create a service with the name for persistence on the victim side\r\n(the service name in our received case is ASProxys) and set '-s' for the first argument in the command line to make sure\r\nthe process will be started from the service in the next execution. In decryption, the loaders need two payloads\r\n(wwlib.dat, and wwlib.cfg). The former is the shellcode with a decryption routine to decrypt the later one.\r\nHowever, these two payloads are merged into a single encrypted payload in the second version (B in Figure 3) but keep\r\nthe decryption routine in the shellcode part:\r\nRtlDecompressBuffer to decrypt the PE file.\r\nExecute the entry point of the PE file.\r\nExecute the assigned export function of the PE file. (“TgSetup” in the first version, “InstallSetup” in the second\r\nversion)\r\nAdditionally, some extra features are implemented in the second version's loader:\r\nAnti-Analysis technique\r\n1. Read the entry point to check the parent process.\r\n2. Hook GetProcAddress by overwriting the code inside the original one.\r\nAnti-Antivirus: API with callback\r\nThe loaders do not utilize the common API to start a new thread, like CreateThread and _beginthread. Here are the steps\r\nto introduce this unseen method:\r\n1. ConvertThreadToFiber to build a Fiber structure.\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 3 of 9\n\n2. CreateFiber to enter a new thread (but the input address is junk code).\r\n3. Overwrite the address in the Fiber structure (+0xC4) by the desired function.\r\n4. Enter the desired function by API, SwitchToFiber.\r\nFigure 4. API with callback: overwriting the Fiber structure\r\nBackdoor\r\nAccording to our observation, we have identified two different backdoors in this campaign. Due to the code structure, the\r\nshellcode is flexible enough to accept various formats of files such as the exe and dll for the final payload.\r\nEXE (Backdoor.CXCLNT)\r\nOne of the final payloads is a non-landed executable that collects the victim’s information such as IP, MAC address,\r\nComputer Name, Product Name, and system architecture. By analyzing the packet transmission contents, we can infer the\r\npacket format.\r\nThere will be two decryption steps: the first key will be placed at position [start+0x8], and the second key will be placed\r\nat position [start+0x12]. Then, through a customized XOR encryption and decryption process, this encrypted packet can\r\nbe successfully deciphered.\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 4 of 9\n\nFigure 5. Encrypted traffic\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 5 of 9\n\nFigure 6. Decrypted traffic\r\nHowever, upon analyzing this sample, we found that the command and control (C\u0026C) server was no longer active.\r\nTracing the APIs used in malware and the recorded pcap file from the sandbox report, we inferred possible\r\nfunctionalities. By comparing the decrypted packet contents with the command codes hardcoded in the malware, we\r\nconcluded that this backdoor might possess the following capabilities.\r\nCommand code Description\r\n0x1001 Send victim information to C\u0026C server\r\n0x1002 Pass but do nothing\r\n0x1003 SetEvent\r\n0x1004 Receive unknown data, while not being sure of the purpose\r\n0x1005\r\nClear footprints and\r\nDelete files wwlib.cfg, wwlib.dat, and wwlib.dll\r\nDelete service\r\n0x1006 Persistence via setting reg\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 6 of 9\n\n0x2001 Receive the size of the payload from the C\u0026C server\r\n0x2002 Receive a dll file from the C\u0026C server\r\n0x2003 Call the export functions of the received dll from 0x2002\r\n0x2004 UNKNOWN\r\n0x2005 Check connections alive\r\n0x2007 Send listed files in a specific folder to the C\u0026C server\r\nTable 1. Backdoor command code of CXCLNT\r\nDLL (Backdoor.CLNTEND)\r\nAnother final payload is a non-landed dll with the internal name “install.dll”. In the export function, InstallSetup, there\r\nare three paths based on the value in configuration:\r\n1. SvcLoad → Create a service with the name “CertPropSvce” and inject the next payload, ClientEndPoint.dll, into\r\nthe current process or svchost process (Depending on configuration).\r\n2. TaskLoad → Create a task with the name “CertificatePropagatione” and inject the next payload,\r\nClientEndPoint.dll, into the current process or svchost process (Depending on configuration).\r\n3. Other: Directly inject the next payload, ClientEndPoint.dll, into the current process or svchost process\r\n(Depending on configuration).\r\nClientEndPoint.dll is a remote shell tool and observed commands are shown in Figure 3. It supports these protocols for\r\ncommunication with the C\u0026C server:\r\nTCP\r\nHTTP\r\nHTTPS\r\nTLS\r\nSMB(port:445)\r\nBased on our experience, threat actors prefer the C\u0026C server domain with a misquoted name, like\r\nsymantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it is for CLNTEND and CXCLNT.\r\nThey all implement a similar naming convention to mislead the investigation for network infrastructure.\r\nAttribution Analysis\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 7 of 9\n\nThe consistency in file compilation times and the threat actor’s operation time with other Chinese espionage-related\r\nactivities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group. The incidents we observed were highly targeted and limited in scope. The focus on military-related industry chains, particularly in the manufacturers of drones, suggests an espionage motive, given the sensitive\r\ndata these entities typically hold. This further reinforces the likelihood that TIDRONE is engaged in espionage-related\r\nactivities.\r\nWinWord.exe\r\nDue to the same parent process (WinWord.exe) operation from threat actors, the organizations can defend against the\r\nattack from TIDRONE by staying vigilant of the following variations:\r\nWinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736). Beware that\r\nit has the child process cmd.exe due to the remote shell functionality.\r\nWinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) with “-s“ in\r\nthe first argument of the cmd line.\r\nWinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) with\r\n“/SvcLoad“ or “/TaskLoad” in the last argument of the cmd line.\r\nConclusion\r\nIn this article, we investigated TIDRONE, a threat actor linked to Chinese-speaking groups. The attacks were detected in\r\nTaiwan and mostly targeted military-related industries, specifically the manufacturer of drones. The activities involve\r\nadvanced malware variants such as CXCLNT and CLNTEND which were spread through ERP software or remote\r\ndesktops. We examined the technical details of these malicious activities to keep users informed about these types of\r\nthreats.\r\nSome of the steps that organizations can take to protect themselves are as follows:\r\nDownload software only from trusted sources\r\nStay vigilant of social engineering lures that threat actors could use as entry points for attacks\r\nEmploy antimalware software that could detect early signs of compromise no matter where they are in the system\r\nTrend Micro Vision Oneone-platform offers multilayered protection for diverse environments. With comprehensive\r\nprevention, detection, and response capabilities, it safeguards systems from breaches and attacks.\r\nIndicators of Compromise (IOCs)\r\nFile\r\nSHA-256 Detection\r\nf13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7 Trojan.Win32.CXCLNT.ZTLH\r\ne366f0209a939503418f2b7befbd60b79609b7298fed9c2fbafcb0e7fde19740 Trojan.Win32.CXCLNT.ZTLH\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 8 of 9\n\n6cb08a458e35101ef1035e7926130e1394cc1764a10166628aff541834c67063 Trojan.Win32.CXCLNT.ZTLH\r\n19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a Trojan.Win32.CXCLNT.ZTLH\r\neea0f94c6a8f18275c3dac1e1b9e9d3240e37073ff391852e8ff8d8391efa9aa Trojan.Win32.CXCLNT.ZTLH\r\n0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f Trojan.Win32.CXCLNT.ZTLH\r\n1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8 Trojan.Win32.DULLOAD.ZTLC\r\n4b5f609c6b6788bdf0b900dd3df3c982cd547e7925840000bdc4014f8a980070 Trojan.Win32.SHELLDEBIN.ZTLC\r\n1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e Backdoor.Win32.CXCLNT.ZTLC.enc\r\n3b8f10a780eb64a3c59a2ae85fec074faf0f1a8d9725fb111f5cbf80e7b0dc1b Backdoor.Win32.CLNTEND.ZTLH.enc\r\ndb600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18 Backdoor.Win32.CLNTEND.ZTLH.enc\r\n1bf318c94fa7c3fb26d162d08628cef54157dfeb2b36cf7b264e3915d0c3a504 Backdoor.Win32.CLNTEND.ZTLH.enc\r\nf3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3 Backdoor.Win32.CLNTEND.ZTLH.enc\r\nNetwork\r\nbestadll[.]fghytr[.]com\r\nclient[.]wns[.]windowswns[.]com\r\nserver[.]microsoftsvc[.]com\r\nservice[.]symantecsecuritycloud[.]com\r\ntime.vmwaresync[.]com\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nhttps://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html" ], "report_names": [ "tidrone-targets-military-and-satellite-industries-in-taiwan.html" ], "threat_actors": [ { "id": "7f0f8bbd-b91a-4e0d-9717-7ba87a101eb6", "created_at": "2024-09-20T02:00:04.568566Z", "updated_at": "2026-04-10T02:00:03.691713Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [ "Earth Ammit" ], "source_name": "MISPGALAXY:TIDRONE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21268fa8-7e4a-4cee-bb4f-cd26f9ae3de6", "created_at": "2024-10-25T02:02:07.979938Z", "updated_at": "2026-04-10T02:00:04.937108Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [], "source_name": "ETDA:TIDRONE", "tools": [ "CLNTEND", "CXCLNT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434435, "ts_updated_at": 1775791845, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46173674162a5872ab8345f4eaae6d8843ab7ee1.pdf", "text": "https://archive.orkl.eu/46173674162a5872ab8345f4eaae6d8843ab7ee1.txt", "img": "https://archive.orkl.eu/46173674162a5872ab8345f4eaae6d8843ab7ee1.jpg" } }