Two similar but separate efforts from 2023 to 2024 targeting different groups in Taiwan and South Korea, including the military, satellite, heavy industry, media, technology, software services, and healthcare sectors, have been linked to a cyber-espionage outfit called Earth Ammit.

According to cybersecurity company Trend Micro, the second wave, known as TIDRONE, specifically targeted the military sector, while the first wave, codenamed VENOM, mostly targeted software service providers. According to assessments, Earth Ammit is associated with nation-state organizations that speak Chinese.

Security experts Pierre Lee, Vickie Su, and Philip Chen said that Earth Ammit's strategy for its VENOM campaign was to infiltrate the upstream portion of the drone supply chain. In order to target high-value businesses downstream and expand their reach, Earth Ammit's long-term objective is to breach trusted networks through supply chain assaults.

Last year, Trend Micro initially revealed the TIDRONE campaign, which described how the cluster targeted Taiwanese drone manufacturers to spread bespoke malware, including CXCLNT and CLNTEND. In December 2024, AhnLab released a follow-up research that described the usage of CLNTEND against South Korean businesses.

The assaults are notable because they target the drone supply chain and use enterprise resource planning (ERP) software to compromise the satellite and military sectors. In certain cases, the malicious payloads have also been disseminated over reliable communication channels, such as remote monitoring or IT management systems.

The campaign's ultimate objective is to collect credentials from compromised settings and utilize the information obtained as a springboard to inform the TIDRONE phase, which is targeted at downstream clients.