Earth Ammit, a group associated with the Chinese-speaking Apt structures, conducted two waves of targeted attacks in 2023-2024. The first campaign, known as Venom, targeted software service suppliers, while the second campaign, called Tidrone, focused on defense industry enterprises. Both attacks utilized supply chain vulnerabilities, with Venom targeting the ecosystem of drones and Tidrone focusing on military and satellite solution vendors.
Initially, Earth Ammit relied on freely available tools to minimize costs and increase the complexity of tracking. However, during the Tidrone campaign, the group transitioned to their own tools – the CXCLNT and CLNTEND backdoors – to carry out more discreet and targeted espionage.
The organizations targeted by Earth Ammit were predominantly located in Taiwan and South Korea, including suppliers of drones, media companies, technology firms, heavy industry enterprises, as well as satellite and medical industry companies. The group’s primary strategy involved infiltrating trusted supply chains to gain access to more valuable end organizations.
During the investigation of the Tidrone campaign in July 2024, experts discovered similarities in the ERP-Soft used by multiple affected organizations, leading to the identification of the earlier Venom attack. These findings were shared at the Black Hat Asia 2025 conference.
Venom employed traditional tactics, such as leveraging vulnerable web servers to implant web shells and using Open-Source proxies and RAT tools for system consolidation. The primary objective was to obtain NTDS and compromise systems further down the supply chain, paving the way for the Tidrone campaign.
Tidrone was executed in three stages. The initial phase involved initiating attacks through compromised suppliers and distributing infected programs via trusted channels. This was followed by the deployment of backdoors, specifically CXCLNT and CLNTEND, to infiltrate systemic processes by bypassing UAC and escalating privileges. The final stage included data extraction techniques like password dumps, screenshots, disabling antivirus, and gathering information.
An interesting aspect of Tidrone was the extensive use of Fiber-BASED techniques, ranging from Switchtofiber to Flsalloc, and handling exceptions, which complicated analysis and detection efforts. These techniques emerged around the same time as reports about them surfaced at Black Hat USA and Asia, suggesting a potential correlation with the group’s operations.