Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

    Wednesday, May 14, 2025 In: Threat Research Print

    Date: 05/14/2025

    Severity: High

    Summary

    Earth Ammit, a threat actor linked to Chinese-speaking APT groups, conducted two coordinated cyberespionage campaigns—VENOM and TIDRONE—between 2023 and 2024, targeting organizations in Taiwan and South Korea. The VENOM campaign focused on infiltrating the upstream drone supply chain using open-source tools, while the later TIDRONE campaign shifted to custom-built malware like CXCLNT and CLNTEND to target military sectors. Affected industries include military, satellite, software, media, and healthcare. The group's strategic goal is to compromise trusted networks through supply chain attacks, enabling deeper access to high-value targets. Recommended defenses include third-party risk management, Zero Trust Architecture, patching, and advanced behavioral monitoring.

    Indicators of Compromise (IOC) List

    URL/Domains

    fuckeveryday.life

    fghytr.com

    client.wns.windowswns.com

    server.microsoftsvc.com

    service.symantecsecuritycloud.com

    time.vmwaresync.com

    ac.metyp9.com

    IP Address

    45.121.50.30

    45.121.50.185

    103.61.139.60

    Hash

    40bcd87bcd851c5c2d6e5c901c59312d480eed58b4ebb2981607c0d80c27b529

    0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f

    73372378dd3c5455b466a61d5807b903ed6c1d9284628b9b7480ccd49cc15635

    8907907a571a90c28ae72c10945f626fd22a6f587f664a6b86ad3a8f344f1aae

    c3c4443c3fee858e71fb8017288d9f3b79b2ae0f3f37f93d373765261b299d46

    f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7

    37949e1f0eabbf6726ba79a707a9b471ec1fa160080f9b1effd01ea35f795fd7

    19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a

    5235fecd3e1449ba9f78a25ddb89948a638484411a7bf91af3bb4d1b159f255a

    24fabd3a74c6d24acb7c7f6ed254df0ba125b321772abacb692be5b6c687e651

    74096848382ffb86a5ff0c7811b9867ad97f83d3f406b2c5aa9f357e1619fe21

    827142f772c39bd7f4c468bcfc096ea857b4d2939c606460424af836a045f696

    2f2d4cc6266fe1671fa03737059622e03466a80d43a0342bff21b73c7aa5419a

    db600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18

    1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e

    f3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3

    1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8

    589d4a751e079ec6792ccabc39df36c3d43a3a34376d38d2eec2e36e32b2c7aa

    0f26a1042a74d0990e53587f97c63450763fba4af39d635e29ddcf6b0091d8ea

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "ac.metyp9.com" or siteurl like "ac.metyp9.com" or url like "ac.metyp9.com" or domainname like "server.microsoftsvc.com" or siteurl like "server.microsoftsvc.com" or url like "server.microsoftsvc.com" or domainname like "service.symantecsecuritycloud.com" or siteurl like "service.symantecsecuritycloud.com" or url like "service.symantecsecuritycloud.com" or domainname like "fuckeveryday.life" or siteurl like "fuckeveryday.life" or url like "fuckeveryday.life" or domainname like "time.vmwaresync.com" or siteurl like "time.vmwaresync.com" or url like "time.vmwaresync.com" or domainname like "fghytr.com" or siteurl like "fghytr.com" or url like "fghytr.com" or domainname like "client.wns.windowswns.com" or siteurl like "client.wns.windowswns.com" or url like "client.wns.windowswns.com"

    Detection Query 2

    dstipaddress IN ("103.61.139.60","45.121.50.30","45.121.50.185") or srcipaddress IN ("103.61.139.60","45.121.50.30","45.121.50.185")

    Detection Query 3

    sha256hash IN ("5235fecd3e1449ba9f78a25ddb89948a638484411a7bf91af3bb4d1b159f255a","2f2d4cc6266fe1671fa03737059622e03466a80d43a0342bff21b73c7aa5419a","0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f","73372378dd3c5455b466a61d5807b903ed6c1d9284628b9b7480ccd49cc15635","827142f772c39bd7f4c468bcfc096ea857b4d2939c606460424af836a045f696","74096848382ffb86a5ff0c7811b9867ad97f83d3f406b2c5aa9f357e1619fe21","db600b0ae5f7bfc81518a6b83d0c5d73e1b230e7378aab70b4e98a32ab219a18","8907907a571a90c28ae72c10945f626fd22a6f587f664a6b86ad3a8f344f1aae","40bcd87bcd851c5c2d6e5c901c59312d480eed58b4ebb2981607c0d80c27b529","19bbc2daa05a0e932d72ecfa4e08282aa4a27becaabad03b8fc18bb85d37743a","1b08f1af849f34bd3eaf2c8a97100d1ac4d78ff4f1c82dbea9c618d2fcd7b4c8","37949e1f0eabbf6726ba79a707a9b471ec1fa160080f9b1effd01ea35f795fd7","f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7","c3c4443c3fee858e71fb8017288d9f3b79b2ae0f3f37f93d373765261b299d46","24fabd3a74c6d24acb7c7f6ed254df0ba125b321772abacb692be5b6c687e651","1f22be2bbe1bfcda58ed6b29b573d417fa94f4e10be0636ab4c364520cda748e","f3897381b9a4723b5f1f621632b1d83d889721535f544a6c0f5b83f6ea3e50b3","589d4a751e079ec6792ccabc39df36c3d43a3a34376d38d2eec2e36e32b2c7aa","0f26a1042a74d0990e53587f97c63450763fba4af39d635e29ddcf6b0091d8ea")

    Reference:  

    https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html


    Tags

    Threat ActorEarth AmmitAPTCyber EspionageVenomTIDRONETaiwanSouth KoreaCXCLNTCLNTENDDefense Industrial BaseInformation TechnologyCommunicationsHealthcare and Public HealthMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.