How Earth Ammit Weaponized Fiber-Based Execution to Bypass EDR

TLDR: The threat actor group Earth Ammit has evolved its supply chain attack methodology by shifting from traditional thread-based execution to fiber-based execution to evade EDR detection. By compromising upstream ERP vendors, the attackers successfully distributed custom backdoors like CXCLNT and CLNTEND to downstream targets in the drone industry. This research highlights the critical need for security teams to monitor non-standard execution flows and process behaviors beyond simple API hooking.

Supply chain attacks are no longer just about injecting malicious code into a build pipeline. The recent research presented at Black Hat Asia 2025 on the Earth Ammit campaign demonstrates a far more surgical approach. Instead of relying on noisy, easily detected techniques, these attackers are manipulating the fundamental ways Windows handles execution to stay under the radar of modern EDR solutions. For any pentester or researcher currently auditing high-security environments, this shift from threads to fibers is a wake-up call.

The Shift to Fiber-Based Execution

Most EDR solutions are tuned to monitor standard thread creation and execution patterns. When an attacker spawns a thread to execute shellcode, the EDR hooks the relevant APIs, inspects the memory, and flags the activity. Earth Ammit bypassed this by utilizing Windows fibers.

Fibers are a unit of execution that an application manages manually, rather than the operating system. Because the application controls the scheduling, the OS kernel is largely unaware of the context switching between fibers. By using ConvertThreadToFiber and SwitchToFiber, the attackers can execute malicious payloads within a process context that appears benign to standard monitoring tools.

The evolution of their loader is particularly telling. In 2023, the group used SwitchToFiber to manage execution. By 2024, they had moved to FlsAlloc and exception handling techniques. This constant iteration shows a clear intent to stay ahead of behavioral analysis. If you are testing an environment, you should be looking for processes that exhibit unusual fiber-switching behavior, as this is a prime indicator of sophisticated evasion.

Anatomy of the CXCLNT and CLNTEND Backdoors

The attackers utilized two primary backdoors, CXCLNT and CLNTEND, to maintain persistence and exfiltrate data. These tools are not off-the-shelf malware. They are designed to be modular and stealthy.

CXCLNT, the earlier iteration, relied on a two-stage decryption process. It required a payload file and a configuration file to function. This separation is a classic tactic to prevent static analysis from revealing the full capability of the malware. CLNTEND, the second-generation backdoor, took this further by operating entirely in-memory as a DLL. It supports multiple connection methods, including TLS and SMB, allowing it to blend into legitimate network traffic.

A key technical detail is how these backdoors handle C2 communication. They use a custom protocol over TLS or HTTPS, but the core logic is hidden behind a plugin architecture. The main backdoor module is essentially a shell that waits for a plugin to be delivered from the C2 server. This means that at any given moment, the malware on the victim's machine might be doing nothing more than beaconing. The actual malicious functionality—like screen capture or credential dumping—is only loaded into memory when the attacker decides to act.

Real-World Implications for Pentesters

During a red team engagement, you are unlikely to find these backdoors sitting on disk as obvious executables. You need to look for the artifacts of their infection chain. Earth Ammit targets ERP software and other high-value, trusted applications. If you are testing a client, focus your efforts on the update mechanisms of their internal tools.

The attackers often use cmdkey and mimikatz for credential dumping, but they do so through the lens of their custom backdoors. If you see proc-dump being used to dump lsass.exe in an environment where it has no business running, you have likely found the tail end of an infection.

For those interested in the specific evasion techniques, the official documentation for the Windows Fiber API is the best place to start understanding how these primitives work. Additionally, researchers should look into the OWASP A03:2021-Injection category, as the initial access often stems from vulnerabilities in public-facing applications that allow for webshell injection.

Defensive Strategies

Defending against this level of sophistication requires moving beyond signature-based detection. Your blue team needs to focus on behavioral baselining. If a process that typically handles ERP data suddenly starts spawning fibers or making network connections to unknown external IPs, that is a high-fidelity alert.

Furthermore, ensure that your EDR is configured to monitor for the abuse of legitimate administrative tools. The use of cmdkey to list credentials or proc-dump to access sensitive process memory should be restricted to specific, authorized service accounts.

Earth Ammit is a reminder that the most dangerous threats are the ones that don't look like threats at all. They are using the operating system's own features against it. As researchers, we need to keep digging into these low-level execution primitives, because that is exactly where the next generation of stealthy malware is hiding. Keep your eyes on the process memory and the execution flow, not just the file system.