A previously undocumented threat actor, likely linked to Chinese-speaking groups, has primarily targeted drone manufacturers in Taiwan in a campaign of cyberattacks that began in 2024.
Trend Micro has tracking an opponent under a pseudonym TIDRONstating that this activity is driven by espionage given the focus on military industrial networks.
The exact initial access vector used to compromise the targets is currently unknown, as Trend Micro’s analysis found the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools such as UltraVNC.
An interesting commonality observed among various victims is the presence of the same enterprise resource planning (ERP) software, which increases the possibility of a supply chain attack.
The attack chains then pass through three distinct stages designed to facilitate privilege escalation by bypassing User Access Control (UAC), credential reset, and evading protection by disabling antivirus products installed on hosts.
Both backdoors are initiated by downloading a fake DLL through the Microsoft Word application, allowing threat actors to collect a wide range of sensitive information,
CXCLNT is equipped with basic file loading and unloading capabilities, as well as features for cleaning traces, collecting victim information such as file lists and computer names, and loading Portable Executable (PE) and next-stage DLL files for execution.
CLNTEND, first discovered in April 2024, is an open-source Remote Access Tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).
“The consistency of the file compilation time and the threat actor’s operating time with other activities related to Chinese espionage supports the assessment that this campaign is likely being carried out by an as-yet-unidentified Chinese-speaking threat group,” said security researchers Pierre Li and Vicky Szazo Su .