Archived link

TIDRONE, a threat actor linked to Chinese-speaking groups, targets military-related industry chains in Taiwan

• TIDRONE, an unidentified threat actor linked to Chinese-speaking groups, has demonstrated significant interest in military-related industry chains, especially in the manufacturers of drones’ sector in Taiwan

• The threat cluster uses enterprise resource planning (ERP) software or remote desktops to deploy advanced malware toolsets such as the CXCLNT and CLNTEND.

• CXCLNT has basic upload and download file capabilities, along with features for clearing traces, collecting victim information such as file listings and computer names, and downloading additional portable executable (PE) files for execution

• CLNTEND is a newly discovered remote access tool (RAT) that was used this April and supports a wider range of network protocols for communication

• During the post-exploitation phase, telemetry logs revealed user account control (UAC) bypass techniques, credential dumping, and hacktool usage to disable antivirus products.