'TIDrone' Cyberattackers Target Taiwan's Drone Manufacturers

A threat actor dubbed "TIDrone" by researchers is actively going after military- and satellite-related industrial supply chains, particularly drone manufacturers in Taiwan.

That's according to Trend Micro, which linked TIDrone to other Chinese-speaking groups and noted that it uses enterprise resource planning (ERP) software or remote desktop tools to deploy advanced, proprietary malware.

"Since the beginning of 2024, we have been receiving incident response cases from Taiwan," according to an analysis from the firm. "[However], telemetry from VirusTotal indicates that the targeted countries are varied; thus, everyone should stay vigilant of this threat."

The specialized toolsets include "CXCLNT," which can upload and download files, collect victim information such as file listings and computer names, and comes complete with stealth capabilities. Another weapon is "CLNTEND," a remote access tool (RAT) first seen last April that supports a wide range of network protocols for communication.

Once TIDrone has compromised a target, it deploys user account control (UAC) bypass techniques, credential dumping, and hacktool usage to disable antivirus products, according to the analysis.

"The threat actors have consistently updated their arsenal and optimized the attack chain," the researchers noted. "Notably, anti-analysis techniques are employed in their loaders, such as verifying the entry point address from the parent process and hooking widely used application programming interfaces (APIs) like GetProcAddress to alter the execution flow."