{
	"id": "f656f02f-1f21-492a-8228-2d26588580ea",
	"created_at": "2026-04-06T00:12:25.955693Z",
	"updated_at": "2026-04-10T13:12:30.3819Z",
	"deleted_at": null,
	"sha1_hash": "959f62138d7e56452daa42d08f179405b58f7d36",
	"title": "Analysis on the Case of TIDRONE Threat Actor's Attacks on Korean Companies - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1718138,
	"plain_text": "Analysis on the Case of TIDRONE Threat Actor's Attacks on\r\nKorean Companies - ASEC\r\nBy ATCP\r\nPublished: 2024-12-12 · Archived: 2026-04-05 12:50:42 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has recently identified that the TIDRONE threat actor is launching\r\nattacks against companies. In the attack cases, Enterprise Resource Planning (ERP) software was exploited to\r\ninstall a backdoor malware called CLNTEND.\r\nTIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers. Trend\r\nMicro first reported on TIDRONE in September 2024. [1] TIDRONE, which is known to be associated with a\r\nthreat group that uses Chinese, targets multiple regions in addition to Taiwan. The group installs a backdoor\r\nmalware called CXCLNT and CLNTEND by exploiting Enterprise Resource Planning (ERP) software and\r\nUltraVNC, a remote desktop software.\r\nASEC has confirmed that the CLNTEND malware was used in attacks against Korean companies in the first half\r\nof 2024. Since July 2024, the group has also been exploiting Korean ERP software. Given that the official\r\nwebsites of these ERP software are not available and they have a limited number of users, it is likely that the\r\nsoftware is developed by small-sized companies and distributed to a few Korean companies.\r\nFigure 1. CLNTEND Installed with ERP\r\n1. Attack Vector\r\nThe distribution method of the attack identified in the first half of 2024 has not been confirmed. However, it is\r\nknown that the attack used DLL side-loading, similar to the report by TrendMicro, with “winword.exe”. From July\r\n2024, there have been two main types of cases where malware was distributed through ERP.\r\nThe first type seems to be an ERP related to small-scale development companies in Korea. The developer is\r\nassumed to customize and provide the ERP for each client. The legitimate ERPs from this company, which are\r\nidentified on AhnLab Smart Defense (ASD), are about 20 MB in size. On the other hand, all the malware samples\r\nused in attacks are about 4 MB in size.\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 1 of 7\n\nFigure 2. Cases of attacks exploiting ERP\r\nAlthough the malware directly distributed by the threat actor was not collected, the\r\n“VsGraphicsDesktopEngine.exe” created by this malware is a legitimate program used in another DLL side-loading, which will be covered later. There is a commonality in that TIDRONE’s loader malware is found in the\r\nfollowing paths.\r\n%ProgramFiles%\\microsoft office\\wwlib.dll\r\n%SystemDrive%\\3dp\\edition\\wwlib.dll\r\n%ProgramFiles%\\intel\\intel(r) serial io\\lang\\hr-hr\\wwlib.dll\r\nThe second type is the case where the distribution of actual malware was confirmed. This is another case\r\ninvolving the ERP of a Korean company, and like the first case, there is no official website for this type. Similar to\r\nthe first case, the threat actor uploaded different versions of the malware to different clients. While one client\r\nreceived a legitimate version of the ERP, the malware was later switched to a dropper that installed both the ERP\r\nand CLNTEND.\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 2 of 7\n\nFigure 3. CLNTEND downloaded from the ERP distribution server\r\n2. Malware Analysis\r\nThe malware installed through the above attack consists of a legitimate executable, a DLL responsible for loading,\r\nand an encrypted CLNTEND. After distribution, the executable file that was distributed is executed. The\r\nlegitimate executable loads the malicious DLL that was distributed in the same path through DLL side-loading and\r\nultimately decrypts and executes another file in the memory.\r\nFigure 4. Operation flow chart\r\nThe most exploited executable files are Microsoft Word and VsGraphicsDesktopEngine.exe, and recently, rc.exe\r\nhas been exploited.\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 3 of 7\n\nExecutable File DLL Name Data File Name\r\nwinword.exe wwlib.dll gimaqkwo.iqq\r\nVsGraphicsDesktopEngine.exe vsgraphicsproxystub.dll opt.dat\r\nrc.exe rcdll.dll wctE5ED.tmp\r\nN/A jli.dll\r\ncxufejc.abu\r\nthaxdle.fxm\r\nN/A iviewers.dll\r\nopt.dat\r\ntmplog\r\nTable 1. DLL Side-Loading\r\nVarious loader malware are used in the attack process, and threat actors have created various types of loaders to\r\nhinder analysis. The loader covered by Trend Micro uses a technique of overwriting the Fiber structure to hinder\r\nanalysis. The recent malware also uses obfuscation techniques, and it is characterized by using FlsCallback to\r\ndecrypt an encrypted data file “wctE5ED.tmp”.\r\nFigure 5. Decryption routine using FlsCallback\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 4 of 7\n\nCLNTEND is a RAT malware. According to the report by Trend Micro, it has been used in attacks along with\r\nCXCLNT. CLNTEND is known for supporting various communication protocols such as TCP (Raw Socket, Web\r\nSocket), TLS, HTTP, HTTPS, and SMB, unlike CXCLNT.\r\nFigure 6. Class names of CLNTEND\r\nThreat actors also distributed Loader, encrypted data, and Launcher malware. It is responsible for executing files\r\nin a specific path. However, the hard-coded path names allow the installation path and file name of the malware to\r\nbe estimated.\r\nType  Execution Path\r\nType\r\nA\r\nC:\\AMD\\Chipset_SoftWare\\VsGraphicsDesktopEnginese.exe\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 5 of 7\n\nType  Execution Path\r\nType\r\nB\r\nC:\\NVIDIA\\DisplayDriver\\rc.exe\r\nC:\\NVIDIA\\nForceWin7Vista64Int\\rc.exe\r\nC:\\NVIDIA\\GLCache\\rc.exe\r\nC:\\AMD\\Chipset_Software\\rc.exe\r\nType\r\nC\r\nC:\\ProgramData\\Microsoft OneDrive\\setup\\nir.exe” exec hide cdb.exe -pd -cf\r\n“C:\\ProgramData\\Microsoft OneDrive\\setup\\dbglog.dat” dllhost\r\nType\r\nD\r\nC:/******/*****/Application/de/oleview.exe\r\nTable 2. Execution paths of Launcher\r\n3. Conclusion\r\nThe activities of the TIDRONE threat actor, known for attacking defense companies in Taiwan, are continuously\r\nbeing identified in South Korea. The recently identified attack cases involve the exploitation of ERPs that are\r\nsuspected to have been created by small-scale development companies.\r\nUsers must control access from threat actors by using security products. Also, V3 should be updated to the latest\r\nversion so that malware infection can be prevented.\r\nFile Detection\r\n– Trojan/Win.Loader.R679179 (2024.11.11.00)\r\n– Trojan/Win.Loader.R679207 (2024.11.11.00)\r\n– Trojan/Win.Loader.R681991 (2024.11.16.03)\r\n– Trojan/Win.Agent.C5628462 (2024.05.31.02)\r\n– Trojan/Win.Loader.C5666988 (2024.09.08.03)\r\n– Trojan/Win.Launcher.C5666991 (2024.09.08.03)\r\n– Trojan/Win.Loader.C5666994 (2024.09.10.00)\r\n– Dropper/Win.Agent.C5692128 (2024.11.10.03)\r\n– Trojan/Win.Launcher.C5692134 (2024.11.11.00)\r\n– Trojan/Win.Loader.C5692141 (2024.11.11.00)\r\n– Data/BIN.EncPe (2024.11.11.03)\r\n– Data/BIN.Shellcode (2024.05.29.02)\r\nMD5\r\n11529c342d150647a020145da873ea98\r\n127c722bf973d850ee085ab863257692\r\n26ff6fac8ac83ece36b95442f5bb81ce\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 6 of 7\n\n30c0796aa5d7ba9ea3790a0210ec9840\r\n314f239e2ba3fbf6b9e6b4f13ee043e7\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nac[.]metyp9[.]com\r\nserver[.]microsoftsvc[.]com\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/85119/\r\nhttps://asec.ahnlab.com/en/85119/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/85119/"
	],
	"report_names": [
		"85119"
	],
	"threat_actors": [
		{
			"id": "7f0f8bbd-b91a-4e0d-9717-7ba87a101eb6",
			"created_at": "2024-09-20T02:00:04.568566Z",
			"updated_at": "2026-04-10T02:00:03.691713Z",
			"deleted_at": null,
			"main_name": "TIDRONE",
			"aliases": [
				"Earth Ammit"
			],
			"source_name": "MISPGALAXY:TIDRONE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "21268fa8-7e4a-4cee-bb4f-cd26f9ae3de6",
			"created_at": "2024-10-25T02:02:07.979938Z",
			"updated_at": "2026-04-10T02:00:04.937108Z",
			"deleted_at": null,
			"main_name": "TIDRONE",
			"aliases": [],
			"source_name": "ETDA:TIDRONE",
			"tools": [
				"CLNTEND",
				"CXCLNT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434345,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/959f62138d7e56452daa42d08f179405b58f7d36.pdf",
		"text": "https://archive.orkl.eu/959f62138d7e56452daa42d08f179405b58f7d36.txt",
		"img": "https://archive.orkl.eu/959f62138d7e56452daa42d08f179405b58f7d36.jpg"
	}
}