Trend Micro researchers exposed a sophisticated cyber espionage campaign orchestrated by a threat actor dubbed Earth Ammit, which has been operating with precision since late 2023. The group has strategically targeted government entities and critical infrastructure across Southeast Asia, Central Asia, and Eastern Europe, using a custom arsenal of tools and a stealthy infection chain that leverages public cloud infrastructure.
The cybersecurity firm’s analysis, released on Tuesday, revealed that Earth Ammit launched two distinct waves of cyber espionage campaigns between 2023 and 2024. The first wave, dubbed VENOM, primarily targeted software service providers and upstream vendors across several critical sectors, including heavy industry, media, technology, and healthcare. In this phase, Earth Ammit focused on infiltrating the upstream segment of the drone supply chain, aiming to compromise key components before they reached end users.
The second wave, identified as TIDRONE, shifted focus toward the military industry, signaling a tactical evolution in the threat actor’s targeting strategy. Together, these campaigns illustrate Earth Ammit’s calculated efforts to exploit high-value sectors and critical supply chains to gain long-term strategic advantage.
“In the VENOM campaign, the threat actors primarily relied on open-source tools due to low cost and difficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in the TIDRONE campaign for cyberespionage purposes,” Pierre Lee, Vickie Su, and Philip Chen, Trend Micro researchers, wrote in a company blog post. “Victims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and South Korea, affecting a range of industries including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.”
They added that Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach. Organizations that fall prey to these attacks are also at risk of data theft, including exfiltration of credentials and screenshots.
“Incorporating findings from the TIDRONE report published by AhnLab, the campaign’s victimology was primarily concentrated in Taiwan and South Korea, affecting organizations across various sectors, including heavy industry, media, technology, software services, healthcare, satellite and drone vendors, military-related suppliers, and payment service providers,” the post noted. “In Taiwan, our telemetry indicated that several infected entities had close ties to the military and drone industry, leading to the initial assessment that the operation may have been specifically targeting the drone sector – an assumption that informed the direction of the subsequent investigation.”
Supply chain attacks typically involve compromising trusted vendors or service providers to gain access to downstream targets. The analysis of the VENOM and TIDRONE campaigns identified two distinct types of supply chain attack techniques, each employing unique tactics and carrying different operational implications.
In a classic supply chain attack, threat actors inject malicious code into legitimate software or replace software update packages with tampered versions. These compromised executables are then delivered to downstream customers under the guise of legitimate software. This traditional approach relies on the attacker’s ability to insert or replace code within the victim’s supply chain pipeline.
However, when code injection or update replacement is not feasible, attackers may adopt an alternative strategy. By compromising upstream vendors, they can leverage trusted communication channels, such as remote monitoring or IT management tools, to distribute malware across connected environments. This method, which we refer to as a general supply chain attack, enables lateral movement from the upstream vendor to downstream targets without altering any software artifacts.
Both VENOM and TIDRONE campaigns employed a combination of these techniques. This underscores the evolving nature of supply chain threats and the importance of monitoring not only software integrity but also trusted network relationships and administrative access points within partner ecosystems.
Initially, the attackers targeted service providers, performing malicious code injection and distributing malware through trusted channels to downstream customers, much like in the campaign VENOM. This entire process serves as the initial access stage for the campaign TIDRONE.
“In the second stage, the threat actors spread the customized backdoor for cyberespionage,” the post added. “Our research supposed that the same loader can load two different kinds of payloads, which are backdoor CXCLNT and CLNTEND.”
The researchers said that in the VENOM campaign, “we observed a customized FRPC called VENFRPC that is slightly different from what we usually see on GitHub, as the configuration is directly embedded into the file itself. From this configuration format, we can see that the attacker tends to use the victim’s identification details to make it easier to recognize their targets.”
Trend Micro’s investigation into the VENOM and TIDRONE campaigns reveals several key trends in Earth Ammit’s evolving tradecraft. First, the group has shown a growing reliance on fiber-based evasion techniques across its malware arsenal—an approach aimed at more effectively bypassing traditional detection mechanisms.
Second, both campaigns demonstrate the use of supply chain attacks executed in two distinct waves, underscoring the adversary’s long-term objective of infiltrating trusted networks to access high-value targets. Ongoing monitoring of their infrastructure and toolset remains critical to anticipating future activity.
In the VENOM campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility, low cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward deploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth in targeting sensitive sectors.
This progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access, then pivot to tailored capabilities for more targeted and impactful intrusions. Understanding this operational pattern will be critical in predicting and defending against future threats from this actor.
Trend Micro emphasized that mitigating the risk of supply chain attacks requires a comprehensive third-party risk management approach. This includes evaluating vendor security practices, verifying software integrity through Software Bills of Materials (SBOMs), enforcing code signing protocols, and continuously monitoring the behavior of third-party software. Additional safeguards involve timely patch management, network segmentation for vendor systems, incorporating third-party breach scenarios into incident response planning, and adopting a zero trust architecture to authenticate every connection within the environment.
To counter fiber-based evasion techniques, organizations are advised to closely monitor the use of fiber-related APIs to flag anomalous activity. Strengthening endpoint detection and response (EDR) capabilities to recognize fiber-based execution patterns, alongside enhanced behavioral monitoring, can help identify the subtle indicators often associated with this evasive malware technique.
Earlier this month, Trend Micro uncovered cyber espionage activities by Earth Alux, a China-linked APT group targeting critical industries in Asia-Pacific and Latin America. Using stealthy and advanced techniques, the group exfiltrates sensitive data while maintaining long-term access to compromised networks, posing serious risks to operations, reputation, and finances.
