Priya Patel
TLDR:
- A threat actor group called “TIDrone” is targeting military and satellite-related industrial supply chains in Taiwan.
- The group uses sophisticated malware, including remote desktop tools, to deploy advanced attacks.
Tara Seals, Managing Editor of Dark Reading, reports that a group known as “TIDrone” is actively targeting military and satellite-related industrial supply chains, specifically drone manufacturers in Taiwan. Trend Micro has linked this Chinese-speaking group to other similar groups and identified their use of enterprise resource planning (ERP) software and remote desktop tools to deploy advanced, proprietary malware. The group has been active since the beginning of 2024, with incident response cases reported in Taiwan. However, VirusTotal telemetry indicates that the targets are varied globally, urging everyone to remain vigilant.
The specialized toolsets used by TIDrone include “CXCLNT,” which allows file upload and download, collects victim information, and has stealth capabilities. Another tool, “CLNTEND,” is a remote access tool (RAT) that supports various network protocols for communication. Once a target is compromised, TIDrone employs techniques like user account control bypass, credential dumping, and disabling antivirus products using hacktools.
Researchers note that TIDrone continuously updates its arsenal and optimizes its attack chain, implementing anti-analysis techniques in their loaders. These techniques involve verifying entry point addresses and hooking common application programming interfaces (APIs) to alter execution flows.
The report highlights the sophistication and evolving nature of TIDrone’s cyberattacks, emphasizing the importance of maintaining strong cybersecurity defenses in the face of such threats.
