Earth Ammit: GitHub Became a Launchpad for Military Drone Hacks
VENOM and TIDRONE campaigns exposed the real goal of the Earth Ammit hackers.
The Earth Ammit group, linked to Chinese-speaking APT actors, carried out two waves of targeted attacks in 2023–2024. The first, dubbed VENOM, focused on software service providers, while the second, TIDRONE, targeted defense industry enterprises. Both campaigns utilized supply chain attacks. VENOM infiltrated upper levels of the drone ecosystem, while TIDRONE compromised vendors of military and satellite solutions.VENOM and TIDRONE campaigns exposed the real goal of the Earth Ammit hackers.
In its early stages, Earth Ammit preferred freely available tools to minimize costs and complicate tracking. However, during TIDRONE, the group shifted to custom-developed backdoors — CXCLNT and CLNTEND — enabling more covert and selective espionage operations.
The targeted organizations were primarily based in Taiwan and South Korea. Victims included drone suppliers, media companies, tech and software firms, heavy industry enterprises, as well as satellite and medical companies. Earth Ammit's overall strategy involved breaching trusted supply chains to gain downstream access to more valuable targets — the end organizations.
During the TIDRONE campaign investigation in July 2024, researchers identified shared ERP software among several victims, leading them to uncover the earlier VENOM attack. These findings were presented at Black Hat Asia 2025.
VENOM followed a classic approach: attackers exploited vulnerable web servers to upload web shells, then used open-source proxies and RAT tools to establish persistence. The primary goal was to obtain the NTDS.dit (Active Directory database) and compromise systems further down the supply chain — laying the groundwork for TIDRONE.
TIDRONE unfolded in three stages:
- Initial breach via compromised vendors, spreading infected software through trusted channels.
- Deployment of backdoors, specifically CXCLNT and CLNTEND, embedding into system processes, bypassing UAC, and escalating privileges.
- Data extraction, including password dumps, screenshots, antivirus deactivation, and deployment of data collection tools.
CXCLNT operated entirely in memory, leaving no disk traces, used SSL/HTTPS, and dynamically fetched modules from a C2 server as needed. CLNTEND evolved from CXCLNT, supporting seven protocols (including WebSocket and SMB), implemented as a DLL with both client and server modes. It injected into dllhost.exe and spawned a command shell within winword.exe, helping bypass defenses and execute commands stealthily.
Additionally, a tool named ScreenCap was discovered — a spyware trojan integrated via CLNTEND that sent screen captures back to operators.
Two key links between the VENOM and TIDRONE campaigns were uncovered: overlapping victims and a shared C2 infrastructure, including a domain ominously named fuckeveryday[.]life. These connections point to a single group. Attribution suggests a Chinese-speaking operator. File timestamps and command activity aligned with GMT+8, and their methods echoed those of the Dalbit group described in AhnLab reports.
Recommended defenses against such attacks:
- Implement third-party risk management
- Verify software integrity using SBOM (Software Bill of Materials)
- Monitor API calls
- Segment supplier systems
- Adopt Zero Trust architecture
- Strengthen behavioral monitoring and deploy EDR (Endpoint Detection and Response) solutions.
