Summary:
Threat hunters have uncovered new details about a cyber espionage campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using the ANEL backdoor. The attack, detected by ESET in late August 2024, specifically focused on a Central European diplomatic institute, using lures themed around the upcoming World Expo in Osaka, Japan. This campaign, named Operation AkaiRyū (RedDragon), represents a significant shift for MirrorFace, also known as Earth Kasha, a subgroup of APT10, as the group has historically targeted Japanese entities rather than European organizations. The attack is notable for the use of a heavily customized AsyncRAT variant alongside ANEL (aka UPPERCUT), a backdoor previously linked to APT10 but believed to have been abandoned in 2018 or early 2019. This shift from LODEINFO to ANEL is significant, as LODEINFO has not been observed in use throughout 2024 or 2025. While the reasons behind this transition remain unclear, the switch suggests a strategic shift in MirrorFace’s tactics and toolset.

ESET’s investigation also found that Operation AkaiRyū overlaps with Campaign C, a previously documented cyber operation by Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) in January 2024. This further highlights the persistent nature of MirrorFace’s cyber activities. In addition to the modified AsyncRAT, the group leveraged Visual Studio Code Remote Tunnels to establish stealthy access to compromised systems, a method increasingly favored by Chinese threat actors to evade detection and maintain persistence.

Security Officer Comments:
The attack chain primarily involved spear-phishing emails designed to trick recipients into opening booby-trapped documents or malicious links, which deployed a loader component called ANELLDR via DLL side-loading. ANELLDR then decrypted and loaded ANEL, enabling remote access. Additionally, the attackers deployed a modular backdoor named HiddenFace (aka NOOPDOOR), which is exclusively used by MirrorFace, further enhancing their ability to execute post-compromise activities. ESET also highlighted MirrorFace’s improved operational security, making investigation and attribution more difficult. The group systematically deleted delivered tools and files, cleared Windows event logs, and executed malware within Windows Sandbox to minimize forensic evidence.

Suggested Corrections:

IOCs:
https://www.welivesecurity.com/en/e...vites-europe-expo-2025-revives-anel-backdoor/


Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://thehackernews.com/2025/03/china-linked-mirrorface-deploys-anel.html