Security experts have linked Earth Ammit to Chinese-speaking advanced persistent threat (APT) groups. Between 2023 and 2024, the group carried out two major campaigns, showing new tactics and tools that pose serious risks to military and aerospace industries.
Two Campaigns: VENOM and TIDRONE
The first wave, called VENOM, focused on breaching software service providers and technology companies. Attackers exploited web server vulnerabilities to upload web shells. They used open-source tools to stay hidden and maintain access without revealing their identity.
The second wave, named TIDRONE, targeted military-related companies through the upstream supply chain. Victims were mainly from Taiwan and South Korea. Sectors affected include military, satellite, heavy industry, media, technology, software services, and healthcare.
By attacking supply chains, Earth Ammit aimed to reach downstream customers. This method allowed them to extend their attacks to high-value military assets, including drones used in defense.
Attack Techniques and Goals
Researchers at Trend Micro found that Earth Ammit uses two main attack methods:
- Classic supply chain attacks, where malicious code is injected into trusted software.
- General supply chain attacks, where malware is delivered via trusted communication channels without altering software files.
The group’s long-term goal appears to be infiltrating secure networks to access sensitive military technology, especially drone systems used in military operations.
Organizations hit by these attacks face risks such as stolen credentials, data leaks, and ongoing unauthorized access.
Rapid Evolution of Malware Tools
Earth Ammit’s malware has advanced quickly. Their latest backdoor, CLNTEND, introduced in 2024, shows major improvements over its earlier version, CXCLNT.
Both backdoors run in memory to avoid detection. However, CLNTEND operates as a DLL and supports seven communication protocols, while CXCLNT supports only two.
CLNTEND also uses fiber-based evasion techniques. These techniques rely on Windows fiber APIs to hide malicious activities from security software. Functions like ConvertThreadToFiber and CreateFiber make the malware harder to detect.
The following code snippet shows how the malware uses fibers to evade detection:
hModule = hinstDLL; ModuleHandleA = GetModuleHandleA(0); dword_10013300 = *(_DWORD *)((char *)ModuleHandleA + *((_DWORD *)ModuleHandleA + 15) + 40); lpFiber = ConvertThreadToFiber(0); Fiber = (char *)CreateFiber(0, (LPFIBER_START_ROUTINE)StartAddress, 0); dword_100132C4 = (int)Fiber; *(_DWORD *)&Fiber[(dword_10013300 ^ 0x10EC) + 196] = (char *)sub_10001480 + (dword_10013300 ^ 0x10EC); SwitchToFiber(Fiber);
Earth Ammit also uses anti-analysis methods. These include verifying entry points with XOR checks and setting execution orders that block analysis tools.
In addition, the group uses a screen capture tool called SCREENCAP. This tool is based on open-source code and is used to spy on victims by capturing screenshots and sending them to command and control servers.
Attribution and Defense Measures
File timestamps and command logs suggest the attackers operate in the GMT+8 time zone. Their methods are similar to those used by the Dalbit threat group, which was previously reported by AhnLab.
To defend against such attacks, organizations should:
- Implement third-party risk management programs.
- Monitor for unusual use of fiber-related APIs.
- Strengthen Endpoint Detection and Response (EDR) solutions.
- Adopt a Zero Trust Architecture to verify every connection.
Earth Ammit’s activities highlight the growing threat to drone systems and other military technologies through supply chain attacks. Security experts urge organizations in the defense sector to remain vigilant and improve their cybersecurity measures.
