A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly targeted drone manufacturers in Taiwan as part of a cyber attack campaign in 2024.
Trend Micro has been actively monitoring the adversary, named TIDRONE, noting that the activity is espionage-driven, focusing on military-related industry chains.
The exact initial access vector used by the threat actor remains unknown, with Trend Micro’s analysis revealing the usage of custom malware like CXCLNT and CLNTEND through remote desktop tools like UltraVNC.
An interesting common factor among the victims is the use of the same enterprise resource planning (ERP) software, hinting at a possible supply chain attack.
The attack chains involve stages designed to facilitate privilege escalation, including a User Access Control (UAC) bypass, credential dumping, and antivirus evasion.
Both backdoors are initiated by sideloading a rogue DLL via Microsoft Word, enabling the threat actors to access sensitive information.
CXCLNT allows file upload/download, trace clearing, victim information collection, and execution of next-stage files. CLNTEND, discovered in April 2024, is a RAT supporting various network protocols.
Security researchers Pierre Lee and Vickie Su believe that the consistent file compilation times and operational patterns align with Chinese-speaking threat groups.