Ethical Hacking News
A growing number of organizations across Asia, Europe, and the Americas are under attack from sophisticated cyber espionage campaigns, including those targeting supply chains and high-value assets. Earth Ammit, a group linked to Chinese-speaking nation-state actors, has been involved in two distinct but related campaigns: VENOM and TIDRONE. These campaigns have significant implications for cybersecurity professionals worldwide.
The connection between these campaigns highlights the need for enhanced vigilance among organizations and governments alike. It also underscores the importance of collaboration and information-sharing between nations and industries to counter this emerging threat landscape.
Stay informed with The Hacker News, your trusted source for news on cyber threats, security alerts, and more.
The world of cybersecurity is facing a new wave of cyber espionage campaigns targeting Asia, Europe, and the Americas. A Chinese-speaking nation-state actor group called Earth Ammit has been involved in two distinct campaigns: VENOM and TIDRONE, targeting Taiwan and South Korea's military, satellite, and other industries. Earth Ammit penetrated the upstream segment of the drone supply chain to compromise trusted networks via supply chain attacks. The VENOM campaign exploited web server vulnerabilities to drop web shells and install remote access tools for persistent access. A bespoke malware called VENFRPC was observed in the VENOM campaign, which harvested credentials from breached environments. Both VENOM and TIDRONE campaigns share common victims, service providers, and command-and-control infrastructure, indicating a shared threat actor. The TIDRONE campaign involves three stages: initial access, command-and-control, and post-exploitation, using custom malware like CXCLNT and CLNTEND. A new cyber espionage campaign called Swan Vector has been discovered targeting educational institutions and the mechanical engineering industry in Taiwan and Japan. The threat actor behind Swan Vector is believed to be based out of East Asia and uses evasion techniques to avoid leaving traces on the target machine. The recent surge in nation-state attacks highlights the need for enhanced vigilance among organizations and governments alike, as well as collaboration and information-sharing between nations and industries.
The world of cybersecurity is a complex and ever-evolving landscape, where threats come from all corners, including nation-state actors, malicious groups, and rogue individuals. In recent weeks, the threat space has become even more nuanced, with a new wave of cyber espionage campaigns targeting various entities across Asia, Europe, and the Americas.
At the heart of this escalating threat landscape lies a critical vulnerability in supply chain security. According to Trend Micro, a prominent cybersecurity firm, Earth Ammit, a group linked to Chinese-speaking nation-state actors, has been involved in two distinct but related campaigns: VENOM and TIDRONE. These campaigns have targeted various entities across Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
The VENOM campaign primarily targeted software service providers, while the TIDRONE campaign focused on the military industry. Earth Ammit's approach in both cases involved penetrating the upstream segment of the drone supply chain, with a long-term goal of compromising trusted networks via supply chain attacks. This strategy allows them to target high-value entities downstream and amplify their reach.
The VENOM campaign is characterized by the exploitation of web server vulnerabilities to drop web shells and then weaponize access to install remote access tools (RAT) for persistent access to compromised hosts. The use of open-source tools like REVSOCK and Sliver in these attacks is seen as a deliberate attempt to cloud attribution efforts.
The only bespoke malware observed in the VENOM campaign is VENFRPC, a customized version of FRPC, which itself is a modified version of the open-source fast reverse proxy (FRP) tool. This malware harvests credentials from breached environments and uses them to inform the next phase of the TIDRONE campaign.
The connection between VENOM and TIDRONE stems from shared victims and service providers as well as overlapping command-and-control infrastructure, indicating that a common threat actor is behind both campaigns. Trend Micro states that the hacking crew's tactics, techniques, and procedures (TTPs) resemble those used by another Chinese nation-state hacking group tracked as Dalbit (aka m00nlight), suggesting a shared toolkit.
The TIDRONE campaign involves three stages: initial access, command-and-control, and post-exploitation. The use of custom malware such as CXCLNT and CLNTEND enables the attackers to extend their capabilities dynamically and obscure their backdoor's true purpose during static analysis. This modular plugin system not only provides flexibility but also hides its true nature.
CXCLNT has been used in attacks since at least 2022, while CLNTEND was first detected in 2024. The transition from CXCLNT to CLNTEND indicates that the attackers have refined their tools and tactics to evade detection.
In another development, Seqrite Labs disclosed details of a cyber espionage campaign dubbed Swan Vector, targeting educational institutions and the mechanical engineering industry in Taiwan and Japan with fake resume lures distributed via spear-phishing emails. The threat actor is believed to be based out of East Asia and has been active since December 2024, relying on custom development of implants comprising downloader, shellcode-loaders, and Cobalt Strike as their key tools.
The use of evasion techniques like API hashing, direct-syscalls, function callback, DLL side-loading, and self-deletion by the threat actor aims to avoid leaving any sort of traces on the target machine. The campaign has significant implications for cybersecurity professionals worldwide.
The recent surge in nation-state attacks, including those involving supply chain security and espionage, highlights the need for enhanced vigilance among organizations and governments alike. It also underscores the importance of collaboration and information-sharing between nations and industries to counter this emerging threat landscape.
In conclusion, the cyber threat space has become increasingly complex, with supply chain security and nation-state espionage being two critical vulnerabilities that must be addressed by all stakeholders involved.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cyber-Threat-Landscape-A-Delicate-Dance-Between-Supply-Chain-Security-and-Nation-State-Espionage-ehn.shtml
https://thehackernews.com/2025/05/earth-ammit-breached-drone-supply.html
https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/
https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/
Published: Wed May 14 06:34:29 2025 by llama3.2 3B Q4_K_M
