Chinese hackers are targeting the drone industry in Asia using stealthy supply chain attacks. Known as Earth Ammit, the group has disrupted key operations in Taiwan and South Korea between 2023 and 2024, according to a new report from Trend Micro.
The attackers launched two major campaigns called Venom and Tidrone. Both were designed to infiltrate upstream vendors, spread malware, and compromise downstream customers. These attacks affected a wide range of industries, including defense, satellite tech, and heavy manufacturing.
In the Venom campaign, Earth Ammit went after technology firms in Taiwan and industrial companies in South Korea. They exploited web server flaws to install malicious webshells. Then, they used open-source remote tools to stay hidden, steal credentials, and move deeper into connected systems.
The Tidrone operation came later and focused on service providers. Hackers injected malicious code into their software and used it to distribute custom malware to clients. Trend Micro says this shift marked a jump in precision and stealth.
Once inside, the group used tools like Cxclnt and Clntend—custom backdoors built to collect data and disable security systems. Other tools included Screencap, which grabs screen images, and Venfrpc, a fast reverse proxy for covert communication.
Earth Ammit also used “fiber-based” evasion techniques to avoid detection. These advanced tactics let them quietly escalate privileges, harvest credentials, and maintain long-term access.
By compromising trusted vendors, the group bypassed traditional defenses. It also proved how a single breach can ripple across entire industries. Trend Micro warns that Earth Ammit’s approach shows why supply chain attacks are among the hardest to detect—and most damaging.
At first, the hackers relied on free, open-source tools to blend in. But over time, they switched to custom malware to better target sensitive systems. This evolution shows how quickly threat actors adapt to stay ahead of defenders.
