Disruption of Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

May 21, 2025, 7:31 p.m.

Description

Earth Ammit, a Chinese-linked threat actor, conducted two campaigns targeting drone supply chains in Taiwan and South Korea from 2023 to 2024. The VENOM campaign focused on software service providers using open-source tools, while TIDRONE targeted military industries with custom malware. Their tactics included supply chain attacks, credential theft, and cyberespionage. Victims spanned military, satellite, heavy industry, media, technology, and healthcare sectors. Earth Ammit's goal was to compromise trusted networks for downstream attacks. They employed evolving techniques like fiber-based evasion and custom backdoors CXCLNT and CLNTEND. The campaigns showed progression from broad, low-cost tools to tailored capabilities for sensitive targets.

External References

https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html
https://otx.alienvault.com/pulse/6823927586bc5e69008837fe
Tags
south korea
taiwan
supply chain attack
2025-05-13
drone industry
venom campaign
custom backdoor
screencap
fiber-based
clntend
venfrpc
cxclnt
tidrone campagin
military sector

Date

  • Created: May 13, 2025, 6:41 p.m.
  • Published: May 13, 2025, 6:41 p.m.
  • Modified: May 21, 2025, 7:31 p.m.

Indicators

  • f3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3
  • db600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18
  • f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7
  • 8907907a571a90c28ae72c10945f626fd22a6f587f664a6b86ad3a8f344f1aae
  • c3c4443c3fee858e71fb8017288d9f3b79b2ae0f3f37f93d373765261b299d46
  • 74096848382ffb86a5ff0c7811b9867ad97f83d3f406b2c5aa9f357e1619fe21
  • 827142f772c39bd7f4c468bcfc096ea857b4d2939c606460424af836a045f696
  • 73372378dd3c5455b466a61d5807b903ed6c1d9284628b9b7480ccd49cc15635
  • 589d4a751e079ec6792ccabc39df36c3d43a3a34376d38d2eec2e36e32b2c7aa
  • 40bcd87bcd851c5c2d6e5c901c59312d480eed58b4ebb2981607c0d80c27b529
  • 5235fecd3e1449ba9f78a25ddb89948a638484411a7bf91af3bb4d1b159f255a
  • 37949e1f0eabbf6726ba79a707a9b471ec1fa160080f9b1effd01ea35f795fd7
  • 2f2d4cc6266fe1671fa03737059622e03466a80d43a0342bff21b73c7aa5419a
  • 24fabd3a74c6d24acb7c7f6ed254df0ba125b321772abacb692be5b6c687e651
  • 1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e
  • 19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a
  • 1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8
  • 0f26a1042a74d0990e53587f97c63450763fba4af39d635e29ddcf6b0091d8ea
  • 0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f
  • 45.121.50.30
  • 45.121.50.185
  • 103.61.139.60
  • time.vmwaresync.com
  • service.symantecsecuritycloud.com
  • server.microsoftsvc.com
  • client.wns.windowswns.com
  • ac.metyp9.com
  • fghytr.com
  • fuckeveryday.life
Download all indicators here!

Attack Patterns

  • VENFRPC
  • CLNTEND
  • CXCLNT

Additional Informations

  • Technology
  • Healthcare
  • Media
  • Defense
  • Manufacturing
  • Taiwan
  • Canada