🇨🇳

Earth Ammit

APT Group Information theft and espionage ETDA ✓

Also Known As 2 names

TIDRONE VENOM

Target Countries 6

Countries highlighted in red

Canada Germany Ireland Republic of Korea Province of China Taiwan United States

Sectors Targeted

Telecommunications Defense Employment Placement Agencies and Executive Search Services 56131 Software Publishers 51121 Accommodation 721 Civic and Social Organizations 8134

Details

Origin 🇨🇳 CN

Last Updated 06 Jan 2026

MITRE ATT&CK 14

T1005 - Data from Local System T1027 - T1036.005 - Match Legitimate Name or Location T1041 - Exfiltration Over C2 Channel T1057 - Process Discovery T1059 - T1071.001 - Web Protocols T1113 - Screen Capture T1190 - T1204.002 - Malicious File T1497.001 - System Checks T1497.003 - Time Based Evasion T1539 - Steal Web Session Cookie T1574 -

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Earth Ammit Trend Micro

Observed Target Countries 3

Based on ETDA data — countries highlighted in red

Canada South Korea Taiwan

Description

(Trend Micro) Earth Ammit, a threat actor linked to Chinese-speaking APT groups, launched two waves of campaigns from 2023 to 2024. The first wave, VENOM, mainly targeted software service providers, and the second wave, TIDRONE mainly targeted the military industry. In its VENOM campaign, Earth Ammit's approach involved penetrating the upstream segment of the drone supply chain. In the VENOM campaign, the threat actors primarily relied on open-source tools due to low cost and difficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in the TIDRONE campaign for cyberespionage purposes. Victims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and South Korea, affecting a range of industries including military, satellite, heavy industry, media, technology, software services, and healthcare sectors. Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach. Organizations that fall prey to these attacks are also at risk of data theft, including exfiltration of credentials and screenshots.

Reports & References 1

https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html

ETDA Profile

Earth Ammit

Origin

China

First Seen 2022

Motivation

Information theft and espionage

View on ETDA APT Groups ↗