{ "id": "1d6e75a5-afc0-4460-94fe-02d910410bbe", "created_at": "2026-04-06T00:15:36.020997Z", "updated_at": "2026-04-10T03:30:45.973885Z", "deleted_at": null, "sha1_hash": "51bab90125f0ed861f97718ff84e994c64cf1bb9", "title": "Earth Ammit - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46086, "plain_text": "Earth Ammit - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 15:16:20 UTC\r\n APT group: Earth Ammit\r\nNames Earth Ammit (Trend Micro)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(Trend Micro) Earth Ammit, a threat actor linked to Chinese-speaking APT groups, launched\r\ntwo waves of campaigns from 2023 to 2024. The first wave, VENOM, mainly targeted\r\nsoftware service providers, and the second wave, TIDRONE mainly targeted the military\r\nindustry. In its VENOM campaign, Earth Ammit's approach involved penetrating the upstream\r\nsegment of the drone supply chain.\r\nIn the VENOM campaign, the threat actors primarily relied on open-source tools due to low\r\ncost and difficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in\r\nthe TIDRONE campaign for cyberespionage purposes.\r\nVictims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and\r\nSouth Korea, affecting a range of industries including military, satellite, heavy industry, media,\r\ntechnology, software services, and healthcare sectors. Earth Ammit’s long-term goal is to\r\ncompromise trusted networks via supply chain attacks, allowing them to target high-value\r\nentities downstream and amplify their reach. Organizations that fall prey to these attacks are\r\nalso at risk of data theft, including exfiltration of credentials and screenshots.\r\nObserved Countries: Canada, South Korea, Taiwan.\r\nTools used\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/25/e/earth-ammit.html\u003e\r\nLast change to this card: 27 June 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9baa2e3f-96f6-46d7-b7e4-af92771343d3\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=9baa2e3f-96f6-46d7-b7e4-af92771343d3\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=9baa2e3f-96f6-46d7-b7e4-af92771343d3" ], "report_names": [ "showcard.cgi?u=9baa2e3f-96f6-46d7-b7e4-af92771343d3" ], "threat_actors": [ { "id": "7f0f8bbd-b91a-4e0d-9717-7ba87a101eb6", "created_at": "2024-09-20T02:00:04.568566Z", "updated_at": "2026-04-10T02:00:03.691713Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [ "Earth Ammit" ], "source_name": "MISPGALAXY:TIDRONE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be5d552a-cb31-4c76-be8a-9b01e8914109", "created_at": "2025-06-29T02:01:56.980287Z", "updated_at": "2026-04-10T02:00:04.659383Z", "deleted_at": null, "main_name": "Earth Ammit", "aliases": [], "source_name": "ETDA:Earth Ammit", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "21268fa8-7e4a-4cee-bb4f-cd26f9ae3de6", "created_at": "2024-10-25T02:02:07.979938Z", "updated_at": "2026-04-10T02:00:04.937108Z", "deleted_at": null, "main_name": "TIDRONE", "aliases": [], "source_name": "ETDA:TIDRONE", "tools": [ "CLNTEND", "CXCLNT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775791845, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51bab90125f0ed861f97718ff84e994c64cf1bb9.pdf", "text": "https://archive.orkl.eu/51bab90125f0ed861f97718ff84e994c64cf1bb9.txt", "img": "https://archive.orkl.eu/51bab90125f0ed861f97718ff84e994c64cf1bb9.jpg" } }