Earth Ammit

Description

(Trend Micro) Earth Ammit, a threat actor linked to Chinese-speaking APT groups, launched two waves of campaigns from 2023 to 2024. The first wave, VENOM, mainly targeted software service providers, and the second wave, TIDRONE mainly targeted the military industry. In its VENOM campaign, Earth Ammit’s approach involved penetrating the upstream segment of the drone supply chain.

In the VENOM campaign, the threat actors primarily relied on open-source tools due to low cost and difficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in the TIDRONE campaign for cyberespionage purposes.

Victims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and South Korea, affecting a range of industries including military, satellite, heavy industry, media, technology, software services, and healthcare sectors. Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach. Organizations that fall prey to these attacks are also at risk of data theft, including exfiltration of credentials and screenshots.

Names

Name	Name-Giver
Earth Ammit	Trend Micro

Country

China

Motivation

Information theft and espionage

First Seen

2022

Observed Countries

Information

https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html

Other Information

Uuid

9baa2e3f-96f6-46d7-b7e4-af92771343d3

Last Card Change

2025-06-27

Threat Intelligence Garden

Explorer

Earth Ammit

Earth Ammit

Description

Names

Country

Motivation

First Seen

Observed Countries

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks