A previously undocumented threat actor, likely connected to Chinese-speaking cyber groups, has been targeting drone manufacturers in Taiwan as part of a cyber espionage campaign that began in 2024. Security firm Trend Micro is tracking this group under the name TIDRONE, citing the focus on military-related industries as a key indicator that the activity is driven by espionage.
While the initial method of access used to breach the targets remains unknown, Trend Micro's research has uncovered the use of custom malware, specifically CXCLNT and CLNTEND, which were deployed using remote desktop tools such as UltraVNC.
One striking observation across the targeted companies is the presence of the same enterprise resource planning (ERP) software, which suggests the possibility of a supply chain attack as the initial vector.
The attack follows a structured process divided into three distinct stages. These stages are designed to enable the attackers to escalate privileges by bypassing User Access Control (UAC), dump credentials, and evade detection by disabling antivirus software on the compromised systems.
Focus on Drone Manufacturers
Both CXCLNT and CLNTEND backdoors are executed by sideloading a malicious DLL via Microsoft Word, giving the attackers access to a range of sensitive data. This technique enables them to gather critical information from the infected systems, including file listings, computer names, and more.
The CXCLNT malware has basic capabilities, such as uploading and downloading files, clearing system traces, and downloading additional executable and DLL files for further stages of the attack.
CLNTEND, first identified in April 2024, is a more sophisticated remote access tool (RAT). It supports a variety of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445), which grants it considerable flexibility in establishing and maintaining connections to the attackers' command-and-control (C2) infrastructure.
The consistency in file compilation times, along with the group's operational patterns, strongly aligns with activities related to Chinese espionage, according to security researchers Pierre Lee and Vickie Su. These findings reinforce the belief that TIDRONE is likely part of an unidentified Chinese-speaking threat group engaged in cyber espionage operations.