Listen to this Post
Introduction:
A formidable threat is on the rise in the world of cybersecurity. The Earth Ammit advanced persistent threat (APT) group has launched a new wave of highly targeted cyberattacks, raising serious concerns within global defense and technology communities. Known for its stealthy tactics and sophisticated malware, Earth Ammit has focused its operations on critical infrastructure, particularly in the military drone supply chain sector. Through two major campaigns—VENOM and TIDRONE—spanning 2023 to 2024, the group has evolved its methods dramatically, shifting from open-source tools to custom-built memory-resident malware. This escalating threat highlights the urgent need for nations and organizations to enhance their cyber defenses, particularly within sensitive supply chains that are often overlooked yet critically vulnerable.
VENOM and TIDRONE Campaigns: An Escalating Cyber Threat
The Earth Ammit group, believed to be aligned with Chinese-speaking cyber actors, executed two back-to-back campaigns—VENOM and TIDRONE—that marked a disturbing evolution in digital espionage tactics.
In the VENOM campaign, the attackers launched upstream supply chain assaults, focusing on drone service providers. Their weapon of choice was open-source proxies and remote access tools. These allowed the group to mask its movements, blending in with legitimate network activity and evading attribution. VENOM targeted several industries—technology, healthcare, media, and software services—with a heavy focus on Taiwan and South Korea. The use of such generalized tools made initial detection difficult while enabling broad infiltration.
TIDRONE represented a significant tactical escalation. Instead of merely piggybacking on open-source exploits, Earth Ammit deployed advanced, proprietary malware. Key tools included the CXCLNT and CLNTEND backdoors—modular, in-memory malware capable of real-time espionage and evasive operations. These tools often gained initial access through legitimate vendors in a classic supply chain scenario, making the attacks harder to trace and prevent.
Researchers discovered that victims often shared the same enterprise resource planning (ERP) software, suggesting a common compromised vendor. The malware then spread laterally from these upstream suppliers to critical downstream targets such as military and satellite systems.
The group’s methods evolved with technical precision. Earth Ammit employed fiber-based programming strategies—using SwitchToFiber and FlsAlloc APIs—known for their ability to bypass behavior-based detection mechanisms. These advanced techniques were paired with privilege escalation, credential theft, and the disabling of endpoint defenses via tools like TrueSightKiller.
VENOM used mostly open-source components with a single custom tool, VENFRPC, while TIDRONE’s toolkit included remote spyware like SCREENCAP and more complex backdoor frameworks. The communication protocols used by the malware—ranging from HTTPS to SMB and WebSocket—were encrypted and diversified to further obscure data exfiltration.
Attribution remains inconclusive, but signs strongly suggest ties to Chinese-speaking threat actors, potentially the group known as Dalbit. Commonalities in infrastructure, victim profiles, and timelines between the two campaigns reinforce the theory of a single orchestrating entity.
The campaigns spotlight the growing threat of advanced APTs targeting not just frontline organizations, but their suppliers and partners—often the weakest link in the security chain.
What Undercode Say:
Earth Ammit’s recent campaigns are a case study in modern cyber warfare—where the goal is not immediate damage, but stealthy, long-term surveillance and strategic advantage. These attacks weren’t chaotic bursts of intrusion. They were quiet, calculated, and methodically executed.
VENOM’s reliance on open-source tools was no accident. It’s a clever method for blending in. The use of legitimate software, with just one bespoke malware component, allowed the group to infiltrate systems without raising red flags. It was a trial run—measuring detection response and laying the groundwork for more advanced strikes.
TIDRONE, on the other hand, marked the weaponization of that reconnaissance. The custom-built CXCLNT and CLNTEND backdoors were clearly tailored for espionage within high-security environments. These backdoors aren’t generic. They are modular, memory-resident, and designed to be flexible—loaded with plugins that can be activated on demand depending on the target’s value.
What’s truly concerning is the malware’s use of fiber-based API calls. These obscure execution paths and avoid traditional monitoring. Such techniques signal a level of engineering excellence often associated with nation-state actors. They also highlight how outdated traditional antivirus tools have become in the face of these evolving threats.
Supply chain attacks, like those employed here, are no longer rare—especially not in the Asia-Pacific region. The shared ERP platform found across affected organizations is a chilling reminder of how interconnected, and therefore vulnerable, modern systems are. One breach can ripple across multiple critical infrastructures.
Earth
This
Ultimately, Earth
Fact Checker Results:
✅ No confirmed data breaches or leaks reported—stealth remained the goal
✅ Attribution strongly leans toward Chinese-speaking actors, but not officially confirmed
✅ Fiber-based techniques and modular backdoors are aligned with APT-level tactics 🛡️👨💻🔍
Prediction:
As Earth Ammit and similar groups refine their tools and tactics, we’re likely to see more memory-resident malware and modular espionage platforms targeting not just military supply chains, but also civilian critical infrastructure like power grids, satellite communications, and smart city platforms. The sophistication of these tools suggests that the next phase of cyber conflict will be fought silently—through software dependencies and third-party vulnerabilities—not guns or missiles. Expect increased government collaboration with private vendors to enforce tighter third-party risk assessments and real-time behavioral monitoring within complex supply chains.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
