Full Report
Threat hunters have shed more light on a previously disclosed malware campaign undertaken by the China-aligned MirrorFace threat actor that targeted a diplomatic organization in the European Union with a backdoor known as ANEL. The attack, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures related to Word Expo, which is scheduled to kick off in
Analysis Summary
# Threat Actor: MirrorFace
## Attribution & Identity
MirrorFace is a China-aligned threat actor, active since at least 2019. It is assessed to be a subgroup operating under the **APT10** umbrella.
Known Aliases: **Earth Kasha**.
## Activity Summary
MirrorFace was recently observed conducting **Operation AkaiRyū** (Japanese for RedDragon), first detected in late August 2024. This operation targeted a **diplomatic organization in the European Union**. The attack utilized spear-phishing lures related to the upcoming Word Expo in Osaka, Japan. This signifies a departure from the group's previously known exclusive targeting of Japanese entities. The operation overlaps with Campaign C, documented by Japan's NPA and NCSC earlier in January 2025.
## Tactics, Techniques & Procedures
- **Delivery/Initial Access:** Spear-phishing emails delivering booby-trapped documents or links.
- **Execution:** Use of a loader component named **ANELLDR** deployed via DLL side-loading to decrypt and load the ANEL backdoor.
- **Persistence/C2:** Deployment of the **ANEL (UPPERCUT)** backdoor and heavily customized **AsyncRAT**.
- **Lateral Movement/Remote Access:** Use of **Visual Studio Code Remote Tunnels** for establishing stealthy access.
- **Custom Backdoor Use:** Deployment of the modular backdoor **HiddenFace (NOOPDOOR)**, which appears exclusive to MirrorFace.
- **Tool Shifting:** Switched deployment from the previously used **LODEINFO** malware to ANEL for current operations.
- **Operational Security:** Noted improvements in operational security (OpSec).
## Targeting
- Sectors: Diplomatic organizations.
- Geography: A Central European diplomatic institute (notable shift from typical Japan focus).
- Victims: A diplomatic organization in the European Union.
## Tools & Infrastructure
- **Malware families used:**
- **ANEL (UPPERCUT):** A backdoor previously linked to APT10, returned in use after being discontinued circa late 2018/early 2019.
- **AsyncRAT:** Heavily customized variant deployed.
- **HiddenFace (NOOPDOOR):** A modular backdoor used exclusively by MirrorFace.
- **ANELLDR:** Loader component utilized for dropping ANEL via DLL side-loading.
- **Infrastructure:** Use of **Visual Studio Code Remote Tunnels** for C2/remote access. (No specific C2 domains/IPs were provided in the context).
## Implications
MirrorFace demonstrates adaptive behavior by expanding its geographic targeting beyond Japan into European diplomatic sectors. The return of the ANEL backdoor, alongside the adoption of modern techniques like VS Code Remote Tunnels, suggests ongoing development and operational maturity, potentially linked to broader APT10 objectives targeting sensitive government communications and intelligence.
## Mitigations
- Enhanced scrutiny of spear-phishing attempts, particularly those using timely lures (e.g., international events like the World Expo).
- Implement robust network monitoring for unusual remote access patterns indicative of developer tools being used internally, specifically looking for traffic associated with **Visual Studio Code Remote Tunnels**.
- Review defenses against **DLL side-loading** techniques utilized by the ANELLDR loader.
- Ensure antivirus/EDR solutions are updated to detect custom variants of **AsyncRAT** and known APT10/MirrorFace specific malware families (ANEL, HiddenFace).