#ESETresearch noticed two #MirrorFace Excel documents, known as #ROAMINGMOUSE, were uploaded to VirusTotal from #Taiwan in March 2025. The documents contain a malicious VBA macro that deploys #ANEL backdoor on the compromised machine. @dbreitenbacher
The contents of the documents are written in traditional Chinese and the date used follows the Republic of China calendar. Based on this data and other information available to ESET, we assess with medium confidence that the target was a Taiwanese research institute.
Even though MirrorFace has been previously reported on targeting a Taiwanese entity, this is for the first time we don’t see any relation to Japan.
Our investigation indicates that both documents were used to target the same institute. MirrorFace employed a call-to-action textbox, asking targets to press “Enable editing” and then “Enable content” buttons to show the data in the worksheet.
Using multiple different malicious documents to compromise the same entity is an approach that was also observed in 2024 in “Case 1: Japanese research institute” described in our blogpost https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html.
Besides the documents, a sample of #ANELLDR loader and a sample of #FaceXInjector were uploaded to VirusTotal from Taiwan around the same time as well.
IoCs

1BAC9E61C0D433964972BC91A5F38F31B85558C1 (ROAMINGMOUSE)
634D52E10E168A61C8201130F44925CC497C1251 (ROAMINGMOUSE)
E5F20192DB09EA033FEDD9CCEB782321EBB9C66E (FaceXInjector)
948CA0DAC99470775523809C1E7E60740B70C0FD (ANELLDR)
C&Cs:
64.176.34[.]120 (ANEL)
192.46.215[.]56 (ANEL)

Operation AkaiRyū Attacks Detection: China-Backed MirrorFace APT Targets Central European Diplomatic Institute Using ANEL Backdoor – Source: socprime.com https://ciso2ciso.com/operation-akairyu-attacks-detection-china-backed-mirrorface-apt-targets-central-european-diplomatic-institute-using-anel-backdoor-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Latestthreats #socprimecom #EarthKasha #MirrorFace #socprime #AkaiRyū #Malware #Blog #APT

Operation Roter Drache: Europas Diplomaten in Gefahr?
#Datenschutz #ITSicherheit #CyberSpionageinEuropa #CyberangriffaufDiplomaten #Malware #MirrorFace #SpearPhishing #WindowsSandboxExploit https://sc.tarnkappe.info/0159a8

ESET: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Reports on Operation Red Dragon (AkaiRyū) and concludes that the actor behind is a subgroup of APT10.

APT group MirrorFace targeted a Central European diplomatic institute in August 2024, marking the group's first known expansion to Europe. The campaign, named Operation AkaiRyū (Japanese for RedDragon), used the upcoming Expo 2025 in Osaka, Japan as a lure. MirrorFace has significantly refreshed its tactics, techniques, and procedures (TTPs), including the resurrection of ANEL (a backdoor previously associated exclusively with APT10), deployment of a customized AsyncRAT variant running inside Windows Sandbox, and abuse of Visual Studio Code remote tunnels. Based on these findings, ESET now considers MirrorFace to be a subgroup under the APT10 umbrella. The researchers collaborated with the affected institute to perform forensic analysis, providing unique insights into MirrorFace's post-compromise activities.

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: https://jsac.jpcert.or.jp.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/mirrorface

China-linked APT group MirrorFace targets Japan – Source: securityaffairs.com https://ciso2ciso.com/china-linked-apt-group-mirrorface-targets-japan-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #Intelligence #SecurityNews #hackingnews #MirrorFace #hacking #China #Japan #APT

National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed " #MirrorFace " hacking group. #CyberAttacks #CyberAlerts #Japan https://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/

@screaminggoat "...determined that the MirrorFace attack campaign is an organized cyber attack suspected to be linked to China, with the primary objective of stealing information related to Japan's national security and advanced technology."

Shocked face ->

Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data – Source: www.securityweek.com https://ciso2ciso.com/japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #securityweekcom #Cyberwarfare #securityweek #NationState #MirrorFace #China #Japan

Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data https://www.securityweek.com/japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data/ #Cyberwarfare #Nation-State #MirrorFace #China #Japan

Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data https://www.securityweek.com/japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data/ #Cyberwarfare #Nation-State #MirrorFace #China #Japan