In August 2024, ESET researchers detected cyberespionage activity carried out by the China-aligned MirrorFace advanced persistent threat (APT) group against a Central European diplomatic institute in relation to Expo 2025, which will be held in Osaka, Japan.
Known primarily for its cyberespionage activities against organizations in Japan, to the best of our knowledge, this is the first time MirrorFace intended to infiltrate a European entity. The campaign, which we uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon), showcases refreshed tactics, techniques, and procedures (TTPs) that we observed throughout 2024: the introduction of new tools (such as a customized AsyncRAT), the resurrection of ANEL, and a complex execution chain.
In this blogpost, we present details of the Operation AkaiRyū attacks and findings from our investigation of the diplomatic institute case, including data from our forensic analysis. ESET Research presented the results of this analysis at the Joint Security Analyst Conference (JSAC) in January 2025.
Key points of this blogpost:
- MirrorFace has refreshed its TTPs and tooling.
- MirrorFace has started using ANEL, a backdoor previously associated exclusively with APT10.
- MirrorFace has started deploying a heavily customized variant of AsyncRAT, using a complex execution chain to run it inside Windows Sandbox.
- To our knowledge, MirrorFace targeted a European entity for the first time.
- We collaborated with the affected Central European diplomatic institute and performed a forensic investigation.
- The findings obtained during that investigation have provided us with better insight into MirrorFace’s post-compromise activities.
MirrorFace profile
MirrorFace, also known as Earth Kasha, is a China-aligned threat actor until now almost exclusively targeting companies and organizations in Japan but also some located elsewhere that have relationships with Japan. As explained in this blogpost, we now consider MirrorFace to be a subgroup under the APT10 umbrella. MirrorFace has been active since at least 2019 and has been reported to target media, defense-related companies, think tanks, diplomatic organizations, financial institutions, academic institutions, and manufacturers. In 2022, we discovered a MirrorFace spearphishing campaign targeting Japanese political entities.
MirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the LODEINFO and HiddenFace backdoors. In the 2024 activities analyzed in this blogpost, MirrorFace started using APT10’s former signature backdoor, ANEL, in its operations as well.
Overview
Much like previous MirrorFace attacks, Operation AkaiRyū began with carefully crafted spearphishing emails designed to entice recipients to open malicious attachments. Our findings suggest that despite this group’s foray beyond the borders of its usual hunting ground, the threat actor still maintains a strong focus on Japan and events tied to the country. However, this is not the first time MirrorFace has been reported to operate outside of Japan: Trend Micro and the Vietnamese National Cyber Security Center (document in Vietnamese) reported on such cases in Taiwan, India, and Vietnam.
ANEL’s comeback
During our analysis of Operation AkaiRyū, we discovered that MirrorFace has significantly refreshed its TTPs and tooling. MirrorFace started using ANEL (also referred to as UPPERCUT) – a backdoor considered exclusive to APT10 – which is surprising, as it was believed that ANEL was abandoned around the end of 2018 or the start of 2019 and that LODEINFO succeeded it, appearing later in 2019. The small difference in version numbers between 2018 and 2024 ANELs, 5.5.0 and 5.5.4, and the fact that APT10 used to update ANEL every few months, strongly suggest that the development of ANEL has restarted.
The use of ANEL also provides further evidence in the ongoing debate about the potential connection between MirrorFace and APT10. The fact that MirrorFace has started using ANEL, and the other previously known information, such as similar targeting and malware code similarities, led us to make a change in our attribution: we now believe that MirrorFace is a subgroup under the APT10 umbrella. This attribution change aligns our thinking with other researchers who already consider MirrorFace to be a part of APT10, such as those at Macnica (report in Japanese), Kaspersky, ITOCHU Cyber & Intelligence Inc., and Cybereason. Others, as at Trend Micro, as of now still consider MirrorFace to be only potentially related to APT10.
First use of AsyncRAT and Visual Studio Code by MirrorFace
In 2024, MirrorFace also deployed a heavily customized variant of AsyncRAT, embedding this malware into a newly observed, intricate execution chain that runs the RAT inside Windows Sandbox. This method effectively obscures the malicious activities from security controls and hamstrings efforts to detect the compromise.
In parallel to the malware, MirrorFace also started deploying Visual Studio Code (VS Code) to abuse its remote tunnels feature. Remote tunnels enable MirrorFace to establish stealthy access to the compromised machine, execute arbitrary code, and deliver other tools. MirrorFace is not the only APT group abusing VS Code: Tropic Trooper and Mustang Panda have also been reported using it in their attacks.
Additionally, MirrorFace continued to employ its current flagship backdoor, HiddenFace, further bolstering persistence on compromised machines. While ANEL is used by MirrorFace as the first-line backdoor, right after the target has been compromised, HiddenFace is deployed in the later stages of the attack. It is also worth noting that in 2024 we didn’t observe any use of LODEINFO, another backdoor used exclusively by MirrorFace.
Forensic analysis of the compromise
We contacted the affected institute to inform them about the attack and to clean up the compromise as soon as possible. The institute collaborated closely with us during and after the attack, and additionally provided us with the disk images from the compromised machines. This enabled us to perform forensic analyses on those images and uncover further MirrorFace activity.
ESET Research provided more technical details about ANEL’s return to ESET Threat Intelligence customers on September 4th, 2024.
Trend Micro released their findings on the recent MirrorFace activities on October 21st, 2024 in Japanese and on November 26th, 2024 in English. These activities overlapped with Operation AkaiRyū and marked the return of the ANEL backdoor. The Japanese National Police Agency (NPA) issued a warning in January 2025 about MirrorFace activities targeting organizations, businesses, and individuals in Japan, focusing on entities related to academia, think tanks, politics, and the media.
In addition to the reports from Trend Micro and NPA, exclusive analysis of MirrorFace’s post-compromise activities was provided, thanks to collaboration with the affected organization. This analysis revealed the deployment of a customized AsyncRAT, abuse of VS Code remote tunnels, and details on running malware within Windows Sandbox to evade detection.
Two cases were covered in the analysis: a Central European diplomatic institute and a Japanese research institute. While MirrorFace’s approach was similar in both cases, there were differences in the initial access process, which were detailed in the report.
Between June and September 2024, MirrorFace conducted spearphishing campaigns to gain initial access by tricking targets into opening malicious attachments or links, then stealthily installing their malware using legitimate applications and tools.
Specifically, in Operation AkaiRyū, MirrorFace used McAfee and JustSystems applications to run the ANEL backdoor. The attack vectors and compromise chains observed in the two cases were described in detail, showcasing the different methods used by MirrorFace in targeting the Japanese research institute and the Central European diplomatic institute.
The toolset used by MirrorFace in Operation AkaiRyū included custom malware, various tools, and a customized variant of a publicly available remote access trojan (RAT). The ANEL backdoor, previously associated with APT10, was also utilized by MirrorFace in their malicious activities. In 2024, MirrorFace began using ANEL as its primary backdoor, with its development history detailed in Secureworks’ JSAC 2019 presentation until 2018. The ANEL variants observed in 2024 were publicly disclosed by Trend Micro.
ANEL is a backdoor that is only found on disk in an encrypted form, with its decrypted DLL form found in memory after decryption by a loader in preparation for execution. It communicates with its C&C server over HTTP, with encrypted data transmission for security. ANEL supports basic commands for file manipulation, payload execution, and taking screenshots.
ANELLDR is a loader used exclusively to decrypt the ANEL backdoor and run it in memory, as described by Trend Micro.
HiddenFace is MirrorFace’s flagship backdoor, known for its modularity, detailed in the JSAC 2024 presentation.
FaceXInjector is a C# injection tool executed by the MSBuild utility to run HiddenFace, also discussed in the JSAC 2024 presentation.
AsyncRAT is a RAT available on GitHub, customized by MirrorFace for its attacks in 2024. It ensures persistence by launching in Windows Sandbox through a complex chain of events, as depicted in Figure 7.
MirrorFace’s use of Visual Studio Code remote tunnels allows them to gain remote access and execute code on compromised machines. Other APT groups like Tropic Trooper and Mustang Panda have also utilized this method in their attacks.
Post-compromise activities by MirrorFace, particularly in the case of a Central European diplomatic institute, revealed their deployment of various malware and tools, as summarized in Table 1. Malware and Tools Utilized by MirrorFace During the Attack:
– ANEL: APT10’s backdoor used as a primary backdoor by MirrorFace.
– PuTTY: An open-source terminal emulator, serial console, and network file transfer application.
– VS Code: A code editor developed by Microsoft.
– HiddenFace: MirrorFace’s main backdoor.
– Second HiddenFace variant: Another version of MirrorFace’s flagship backdoor.
– AsyncRAT: Remote Access Tool available on GitHub.
– Hidden Start: Tool used to bypass UAC, hide Windows consoles, and run programs in the background.
– csvde: Legitimate Microsoft tool for data import/export on Windows servers.
– Rubeus: Toolset for Kerberos interaction and abuse available on GitHub.
– frp: Fast reverse proxy tool available on GitHub.
– Unknown tool (disguised as oneuu.exe): Tool that could not be recovered during analysis.
MirrorFace strategically deployed these tools on Machine A and Machine B during the attack based on their objectives and the target’s environment. The attack began on August 27th, 2024, with the compromise of two institute machines through a malicious email link. The group continued its activities over the next few days, deploying additional tools and maintaining persistence on the compromised machines. Despite the institute’s efforts to mitigate the attack, MirrorFace was able to extract sensitive data from Machine A and target deeper network access on Machine B. The attack showcased MirrorFace’s updated tactics and tools, indicating a shift in their operational strategy. Please rewrite the prompt for me so that I can assist you better. phrase “The quick brown fox jumps over the lazy dog” as “The fast brown fox leaps over the sluggish dog”. sentence to make it more concise:
“Please make sure to turn off all the lights before leaving the room.”
“Please turn off all the lights before leaving.” sentence: “The cat sat lazily in the sun.”
Rewritten sentence: “In the sun, the cat lounged lazily.” Please provide the original sentence that you would like me to rewrite.
