Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

Conclusion

Our investigation into the VENOM and TIDRONE campaigns reveals several key trends in Earth Ammit’s evolving tradecraft. First, we observed a growing reliance on fiber-based evasion techniques across their malware arsenal – an approach designed to bypass traditional detection mechanisms more effectively. Second, both campaigns carry out supply chain attacks across two distinct attack waves. This highlights the adversary’s long-term objective of infiltrating trusted networks to reach high-value targets. Continued monitoring of their infrastructure and toolset is essential to anticipate their next move.

In the VENOM campaign, Earth Ammit primarily leveraged open-source tools, likely due to their accessibility, low cost, and ability to blend in with legitimate activity. However, as the operation matured, they shifted toward deploying custom-built malware – notably in the TIDRONE campaign – to increase precision and stealth in targeting sensitive sectors.

This progression underscores a deliberate strategy: start broad with low-cost, low-risk tools to establish access, then pivot to tailored capabilities for more targeted and impactful intrusions. Understanding this operational pattern will be critical in predicting and defending against future threats from this actor.

To mitigate the risk of supply chain attacks, organizations may implement a third-party risk management program to assess vendors, verify software with Software Bills of Materials (SBOMs), enforce code signing, continuously monitor third-party software behavior, apply patches promptly, segment vendor systems, include third-party breach scenarios in incident response plans, and adopt Zero Trust Architecture to validate every connection. 

Organizations may also better protect themselves from fiber-based techniques by monitoring the use of fiber-related APIs (such as ConvertThreadToFiber and CreateFiber) to detect abnormal behavior, strengthening EDR solutions to recognize fiber-based anomalies, and enhancing behavioral monitoring to identify unusual execution patterns typical of fiber-based malware.

Proactive security with Trend Vision One™ 

Organizations can protect themselves from threats like these with Trend Vision One™ – the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Read More HERE