MirrorFace invitations Europe to Expo 2025 and revives ANEL backdoor

In August 2024, ESET researchers detected cyberespionage exercise carried out by the China-aligned MirrorFace superior persistent risk (APT) group in opposition to a Central European diplomatic institute in relation to Expo 2025, which will likely be held in Osaka, Japan.

Identified primarily for its cyberespionage actions in opposition to organizations in Japan, to one of the best of our data, that is the primary time MirrorFace meant to infiltrate a European entity. The marketing campaign, which we uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon), showcases refreshed ways, methods, and procedures (TTPs) that we noticed all through 2024: the introduction of latest instruments (equivalent to a personalized AsyncRAT), the resurrection of ANEL, and a fancy execution chain.

On this blogpost, we current particulars of the Operation AkaiRyū assaults and findings from our investigation of the diplomatic institute case, together with information from our forensic evaluation. ESET Analysis introduced the outcomes of this evaluation on the Joint Safety Analyst Convention (JSAC) in January 2025.

Key factors of this blogpost:

• MirrorFace has refreshed its TTPs and tooling.
• MirrorFace has began utilizing ANEL, a backdoor beforehand related solely with APT10.
• MirrorFace has began deploying a closely personalized variant of AsyncRAT, utilizing a fancy execution chain to run it inside Home windows Sandbox.
• To our data, MirrorFace focused a European entity for the primary time.
• We collaborated with the affected Central European diplomatic institute and carried out a forensic investigation.
• The findings obtained throughout that investigation have supplied us with higher perception into MirrorFace’s post-compromise actions.

MirrorFace profile

MirrorFace, also referred to as Earth Kasha, is a China-aligned risk actor till now nearly solely focusing on corporations and organizations in Japan but additionally some positioned elsewhere which have relationships with Japan. As defined on this blogpost, we now contemplate MirrorFace to be a subgroup underneath the APT10 umbrella. MirrorFace has been energetic since no less than 2019 and has been reported to focus on media, defense-related corporations, suppose tanks, diplomatic organizations, monetary establishments, tutorial establishments, and producers. In 2022, we found a MirrorFace spearphishing marketing campaign focusing on Japanese political entities.

MirrorFace focuses on espionage and exfiltration of recordsdata of curiosity; it’s the solely group identified to make use of the LODEINFO and HiddenFace backdoors. Within the 2024 actions analyzed on this blogpost, MirrorFace began utilizing APT10’s former signature backdoor, ANEL, in its operations as nicely.

Overview

Very like earlier MirrorFace assaults, Operation AkaiRyū started with fastidiously crafted spearphishing emails designed to entice recipients to open malicious attachments. Our findings counsel that regardless of this group’s foray past the borders of its regular looking floor, the risk actor nonetheless maintains a powerful deal with Japan and occasions tied to the nation. Nonetheless, this isn’t the primary time MirrorFace has been reported to function exterior of Japan: Development Micro and the Vietnamese Nationwide Cyber Safety Middle (doc in Vietnamese) reported on such circumstances in Taiwan, India, and Vietnam.

ANEL’s comeback

Throughout our evaluation of Operation AkaiRyū, we found that MirrorFace has considerably refreshed its TTPs and tooling. MirrorFace began utilizing ANEL (additionally known as UPPERCUT) – a backdoor thought-about unique to APT10 – which is stunning, because it was believed that ANEL was deserted across the finish of 2018 or the beginning of 2019 and that LODEINFO succeeded it, showing later in 2019. The small distinction in model numbers between 2018 and 2024 ANELs, 5.5.0 and 5.5.4, and the truth that APT10 used to replace ANEL each few months, strongly counsel that the event of ANEL has restarted.

The usage of ANEL additionally supplies additional proof within the ongoing debate concerning the potential connection between MirrorFace and APT10. The truth that MirrorFace has began utilizing ANEL, and the opposite beforehand identified data, equivalent to comparable focusing on and malware code similarities, led us to make a change in our attribution: we now consider that MirrorFace is a subgroup underneath the APT10 umbrella. This attribution change aligns our considering with different researchers who already contemplate MirrorFace to be part of APT10, equivalent to these at Macnica (report in Japanese), Kaspersky, ITOCHU Cyber & Intelligence Inc., and Cybereason. Others, as at Development Micro, as of now nonetheless contemplate MirrorFace to be solely probably associated to APT10.

First use of AsyncRAT and Visible Studio Code by MirrorFace

In 2024, MirrorFace additionally deployed a closely personalized variant of AsyncRAT, embedding this malware right into a newly noticed, intricate execution chain that runs the RAT inside Home windows Sandbox. This technique successfully obscures the malicious actions from safety controls and hamstrings efforts to detect the compromise.

In parallel to the malware, MirrorFace additionally began deploying Visible Studio Code (VS Code) to abuse its distant tunnels characteristic. Distant tunnels allow MirrorFace to ascertain stealthy entry to the compromised machine, execute arbitrary code, and ship different instruments. MirrorFace is just not the one APT group abusing VS Code: Tropic Trooper and Mustang Panda have additionally been reported utilizing it of their assaults.

Moreover, MirrorFace continued to make use of its present flagship backdoor, HiddenFace, additional bolstering persistence on compromised machines. Whereas ANEL is utilized by MirrorFace because the first-line backdoor, proper after the goal has been compromised, HiddenFace is deployed within the later levels of the assault. It’s also value noting that in 2024 we didn’t observe any use of LODEINFO, one other backdoor used solely by MirrorFace.

Forensic evaluation of the compromise

We contacted the affected institute to tell them concerning the assault and to scrub up the compromise as quickly as attainable. The institute collaborated intently with us throughout and after the assault, and moreover supplied us with the disk photos from the compromised machines. This enabled us to carry out forensic analyses on these photos and uncover additional MirrorFace exercise.

ESET Analysis supplied extra technical particulars about ANEL’s return to ESET Menace Intelligence prospects on September 4^th, 2024. Development Micro printed their findings on then-recent MirrorFace actions on October 21^st, 2024 in Japanese and on November 26^th, 2024 in English: these overlap with Operation AkaiRyū and likewise point out the return of the ANEL backdoor. Moreover, in January 2025, the Japanese Nationwide Police Company (NPA) printed a warning about MirrorFace actions to organizations, companies, and people in Japan. Operation AkaiRyū corresponds with Marketing campaign C, as talked about within the Japanese model of NPA’s warning. Nonetheless, NPA mentions the focusing on of Japanese entities solely – people and organizations primarily associated to academia, suppose tanks, politics, and the media.

Along with Development Micro’s report and NPA’s warning, we offer an unique evaluation of MirrorFace post-compromise actions, which we have been capable of observe due to the shut cooperation of the affected group. This consists of the deployment of a closely personalized AsyncRAT, abuse of VS Code distant tunnels, and particulars on the execution chain that runs malware inside Home windows Sandbox to keep away from detection and conceal the carried out actions.

On this blogpost, we cowl two distinct circumstances: a Central European diplomatic institute and a Japanese analysis institute. Regardless that MirrorFace’s total method is identical in each circumstances, there are notable variations within the preliminary entry course of; therefore we describe them each.

Technical evaluation

Between June and September 2024, we noticed MirrorFace conducting a number of spearphishing campaigns. Primarily based on our information, the attackers primarily gained preliminary entry by tricking targets into opening malicious attachments or hyperlinks, then they leveraged official purposes and instruments to stealthily set up their malware.

Preliminary entry

We weren’t capable of decide the preliminary assault vector for all of the circumstances noticed in 2024. Nonetheless, based mostly on the information out there to us, we assume that spearphishing was the one assault vector utilized by MirrorFace. The group impersonates trusted organizations or people to persuade recipients to open paperwork or click on hyperlinks. The next findings on preliminary entry align with these within the Development Micro article, though they aren’t totally the identical.

Particularly, in Operation AkaiRyū, MirrorFace abused each McAfee-developed purposes and likewise one developed by JustSystems to run ANEL. Whereas Development Micro reported Home windows Administration Instrumentation (WMI) and explorer.exe because the execution proxy pair for ANEL, we unearthed one other pair: WMI and wlrmdr.exe (Home windows logon reminder). We additionally present an e-mail dialog between a disguised MirrorFace operator and a goal.

Case 1: Japanese analysis institute

On June 20^th, 2024, MirrorFace focused two staff of a Japanese analysis institute, utilizing a malicious, password-protected Phrase doc delivered in an unknown method.

The paperwork triggered VBA code on a easy mouseover occasion – the malicious code was triggered by shifting the mouse over textual content containers positioned within the doc. It then abused a signed McAfee executable to load ANEL (model 5.5.4) into reminiscence. The compromise chain is depicted in Determine 1.

Case 2: Central European diplomatic institute

MirrorFace operators arrange their spearphishing assault by crafting an e-mail message (proven in Determine 2) that references a earlier, official interplay between the institute and a Japanese NGO. The official interplay was most likely obtained from a earlier marketing campaign. As will be seen, this spearphishing arrange message refers back to the upcoming Expo 2025 exhibition, an occasion that will likely be held in Japan.

This primary e-mail was innocent, however as soon as the goal responded, MirrorFace operators despatched an e-mail message with a malicious OneDrive hyperlink resulting in a ZIP archive with a LNK file disguised as a Phrase doc named The EXPO Exhibition in Japan in 2025.docx.lnk. This second message is proven in Determine 3. Utilizing this method, MirrorFace hid the payload till the goal was engaged within the spearphishing scheme.

As soon as opened, the LNK file launches a fancy compromise chain, depicted in Determine 4 and Determine 5.

The LNK file runs cmd.exe with a set of PowerShell instructions to drop extra recordsdata, together with a malicious Phrase file, tmp.docx, which masses a malicious Phrase template, normal_.dotm, containing VBA code. The contents of the Phrase doc tmp.docx are depicted in Determine 6, and doubtless are meant to behave as a decoy, whereas malicious actions are operating within the background.

The VBA code extracts a legitimately signed software from JustSystems Company to side-load and decrypt the ANEL backdoor (model 5.5.5). This gave MirrorFace a foothold to start post-compromise operations.

Toolset

In Operation AkaiRyū, MirrorFace relied not solely on its customized malware, but additionally on varied instruments and a personalized variant of a publicly out there distant entry trojan (RAT).

ANEL

ANEL (also referred to as UPPERCUT) is a backdoor that was beforehand related solely with APT10. In 2024, MirrorFace began utilizing ANEL as its first-line backdoor. ANEL’s improvement, till 2018, was described most not too long ago in Secureworks’ JSAC 2019 presentation. The ANEL variants noticed in 2024 have been publicly described by Development Micro.

ANEL is a backdoor, solely discovered on disk in an encrypted kind, and whose decrypted DLL kind is just ever present in reminiscence as soon as a loader has decrypted it in preparation for execution. ANEL communicates with its C&C server over HTTP, the place the transmitted information is encrypted to guard it in case the communication is being captured. ANEL helps fundamental instructions for file manipulation, payload execution, and taking a screenshot.

ANELLDR

ANELLDR is a loader solely used to decrypt the ANEL backdoor and run it in reminiscence. Development Micro described ANELLDR of their article.

HiddenFace

HiddenFace is MirrorFace’s present flagship backdoor, with a heavy deal with modularity; we described it intimately on this JSAC 2024 presentation.

FaceXInjector

FaceXInjector is a C# injection device saved in an XML file, compiled and executed by the Microsoft MSBuild utility, and used to solely execute HiddenFace. We described FaceXInjector in the identical JSAC 2024 presentation devoted to HiddenFace.

AsyncRAT

AsyncRAT is a RAT publicly out there on GitHub. In 2024, we detected that MirrorFace began utilizing a closely personalized AsyncRAT within the later levels of its assaults. The group ensures AsyncRAT’s persistence by registering a scheduled activity that executes at machine startup; as soon as triggered, a fancy chain (depicted in Determine 7) launches AsyncRAT inside Home windows Sandbox, which should be manually enabled and requires a reboot. We have been unable to find out how MirrorFace allows this characteristic.

The next recordsdata are delivered to the compromised machine with a view to efficiently execute AsyncRAT:

• 7z.exe – official 7-Zip executable.
• 7z.dll – official 7-Zip library.
• .7z – password-protected 7z archive containing AsyncRAT, named setup.exe.
• .bat – batch script that unpacks AsyncRAT and runs it.
• .wsb – Home windows Sandbox configuration file to run .bat.

The triggered scheduled activity executes Home windows Sandbox with .wsb as a parameter. This file incorporates configuration information for the sandbox; see Determine 8.

Specifically, the config file defines whether or not to allow networking and listing mapping, the devoted reminiscence measurement, and the command to execute on launch. Within the file proven in Determine 8, a batch file positioned within the sandbox folder is executed. The batch file extracts AsyncRAT from the 7z archive, then creates and launches a scheduled activity that executes AsyncRAT each hour.

The AsyncRAT variant utilized by MirrorFace is closely personalized. The next are the primary options and modifications launched by MirrorFace:

• Pattern tagging – AsyncRAT will be compiled for a particular sufferer and MirrorFace can add a tag to the configuration to mark the pattern. If the tag is just not specified, the machine’s NetBIOS title is used because the tag. This tag is additional utilized in different launched options as nicely.
• Connection to a C&C server through Tor – MirrorFace’s AsyncRAT can obtain and begin a Tor consumer, and proxy its communication with a C&C server by the consumer. AsyncRAT selects this feature provided that the hardcoded C&C domains finish with .onion. This method was chosen in each samples we noticed in the course of the investigation of Case 2: Central European diplomatic institute.
• Area era algorithm (DGA) – A substitute for utilizing Tor, this variant can use a DGA to generate a C&C area. The DGA may also generate machine-specific domains utilizing the aforementioned tag. Observe that HiddenFace additionally makes use of a DGA with the potential of producing machine-specific domains, though the DGA utilized in HiddenFace differs from the AsyncRAT one.
• Working time – Earlier than connecting to a C&C server, AsyncRAT checks whether or not the present hour and day of the week are inside working hours and days outlined within the configuration. Observe that MirrorFace’s AsyncRAT shares this characteristic with HiddenFace as nicely.

Visible Studio Code distant tunnels

Visible Studio Code is a free source-code editor developed by Microsoft. Visible Studio Code’s distant improvement characteristic, distant tunnels, permits builders to run Visible Studio Code domestically and hook up with a improvement machine that hosts the supply code and debugging setting. Menace actors can misuse this to realize distant entry, execute code, and ship instruments to a compromised machine. MirrorFace has been doing so since 2024; nevertheless, it isn’t the one APT group that has used such distant tunnels: different China-aligned APT teams equivalent to Tropic Trooper and Mustang Panda have additionally used them of their assaults.

Submit-compromise actions

Our investigation into Case 2: Central European diplomatic institute uncovered a few of MirrorFace’s post-compromise actions. By way of shut collaboration with the institute, we gained higher perception into the malware and instruments deployed by MirrorFace, as seen in Desk 1.

Observe that the malware and instruments are ordered within the desk for simpler comparability of what was deployed on every of the 2 recognized compromised machines however doesn’t replicate how they have been deployed chronologically.

Desk 1. Malware and instruments deployed by MirrorFace all through the assault

The group selectively deployed post-compromise instruments based on its targets and the goal’s setting. Machine A belonged to a undertaking coordinator and Machine B to an IT worker. The info out there to us means that MirrorFace stole private information from Machine A and sought deeper community entry on Machine B, aligning the assumed targets with the staff’ roles.

Day 0 – August 27^th, 2024

MirrorFace operators despatched an e-mail with a malicious hyperlink on August 26^th, 2024 to the institute’s CEO. Nonetheless, for the reason that CEO didn’t have entry to a machine operating Home windows, the CEO forwarded the e-mail to 2 different staff. Each opened the dangerous LNK file, The EXPO Exhibition in Japan in 2025.docx.lnk, the following day, compromising two institute machines and resulting in the deployment of ANEL. Thus, we contemplate August 27^th, 2024, as Day 0 of the compromise. No extra exercise was noticed past this foothold institution.

Day 1 – August 28^th, 2024

The following day, MirrorFace returned and continued with its actions. The group deployed a number of instruments for entry, management, and file supply on each compromised machines. Among the many instruments deployed have been PuTTY, VS Code, and HiddenFace – MirrorFace’s present flagship backdoor. On Machine A, MirrorFace additionally tried to deploy the device Hidden Begin. On Machine B, the actor moreover deployed csvde and the personalized variant of AsyncRAT.

Day 2 – August 29^th, 2024

On Day 2, MirrorFace was energetic on each machines. This included deploying extra instruments. On Machine A, MirrorFace deployed a second occasion of HiddenFace. On Machine B, VS Code’s distant tunnel, HiddenFace, and AsyncRAT have been executed. Moreover these, MirrorFace additionally deployed and executed frp and Rubeus through HiddenFace. That is the final day on which we noticed any MirrorFace exercise on Machine B.

Day 3 – August 30^th, 2024

MirrorFace remained energetic solely on Machine A. The institute, having began assault mitigation measures on August 29^th, 2024, might need prevented additional MirrorFace exercise on Machine B. On Machine A, the group deployed AsyncRAT and tried to keep up persistence by registering a scheduled activity.

Day 6 – September 2^nd, 2024

Over the weekend, i.e., on August 31^st and September 1^st, 2024, Machine A was inactive. On Monday, September 2^nd, 2024, Machine A was booted and with it MirrorFace’s exercise resumed as nicely. The primary occasion of Day 6 was that the group exported Google Chrome’s internet information equivalent to contact data, key phrases, autofill information, and saved bank card data right into a SQLite database file. We have been unable to find out how MirrorFace exported the information, and whether or not or how the information was exfiltrated.

Conclusion

In 2024, MirrorFace refreshed its TTPs and tooling. It began utilizing ANEL – believed to have been deserted round 2018/2019 – as its first-line backdoor. Mixed with different data, we conclude that MirrorFace is a subgroup underneath the APT10 umbrella. Moreover ANEL, MirrorFace has additionally began utilizing different instruments equivalent to a closely personalized AsyncRAT, Home windows Sandbox, and VS Code distant tunnels.

As part of Operation AkaiRyū, MirrorFace focused a Central European diplomatic institute – to one of the best of our data, that is the primary time the group has attacked an entity in Europe – utilizing the identical refreshed TTPs seen throughout its 2024 campaigns. Throughout this assault, the risk actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This reveals that even contemplating this new broader geographic focusing on, MirrorFace stays targeted on Japan and occasions associated to it.

Our shut collaboration with the affected group supplied a uncommon, in-depth view of post-compromise actions that may have in any other case gone unseen. Nonetheless, there are nonetheless a whole lot of lacking items of the puzzle to attract a whole image of the actions. One of many causes is MirrorFace’s improved operational safety, which has turn into extra thorough and hinders incident investigations by deleting the delivered instruments and recordsdata, clearing Home windows occasion logs, and operating malware in Home windows Sandbox.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis presents personal APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Information

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 16 of the MITRE ATT&CK framework.