Risk hunters have shed extra gentle on a previously disclosed malware marketing campaign undertaken by the China-aligned MirrorFace menace actor that focused a diplomatic group within the European Union with a backdoor referred to as ANEL.
The assault, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures associated to Word Expo, which is scheduled to kick off in Osaka, Japan, subsequent month.
The exercise has been codenamed Operation AkaiRyū (Japanese for RedDragon). Lively since no less than 2019, MirrorFace can also be known as Earth Kasha. It is assessed to be a subgroup inside the APT10 umbrella.
Whereas identified for its unique focusing on of Japanese entities, the menace actor’s assault on a European group marks a departure from its typical victimology footprint.
That is not all. The intrusion can also be notable for deploying a closely custom-made variant of AsyncRAT and ANEL (aka UPPERCUT), a backdoor beforehand linked to APT10.
The usage of ANEL is important not solely as a result of it highlights a shift from LODEINFO but additionally the return of the backdoor after it was discontinued someday in late 2018 or early 2019.
“Sadly, we’re not conscious of any explicit motive for MirrorFace to modify from utilizing LODEINFO to ANEL,” ESET advised The Hacker Information. “Nonetheless, we did not observe LODEINFO getting used all through the entire 2024 and up to now, we have not seen it being utilized in 2025 as effectively. Subsequently it appears, MirrorFace switched to ANEL and deserted LODEINFO for now.”
The Slovakian cybersecurity firm additionally famous that Operation AkaiRyū overlaps with Campaign C which was documented by Japan’s Nationwide Police Company (NPA) and Nationwide Middle of Incident Readiness and Technique for Cybersecurity (NCSC) earlier this January.
Different main adjustments embrace using a modified model of AsyncRAT and Visible Studio Code Distant Tunnels to determine stealthy entry to the compromised machines, the latter of which has grow to be a tactic increasingly favored by a number of Chinese language hacking teams.
The assault chains contain utilizing spear-phishing lures to influence recipients into opening booby-trapped paperwork or hyperlinks that launch a loader part named ANELLDR by way of DLL side-loading that then decrypts and masses ANEL. Additionally dropped is a modular backdoor named HiddenFace (aka NOOPDOOR) that is solely utilized by MirrorFace.
“Nonetheless, there are nonetheless quite a lot of lacking items of the puzzle to attract an entire image of the actions,” ESET mentioned. “One of many causes is MirrorFace’s improved operational safety, which has grow to be extra thorough and hinders incident investigations by deleting the delivered instruments and recordsdata, clearing Home windows occasion logs, and working malware in Home windows Sandbox.”
