Stone Panda (APT 10) continues global espionage campaigns tied to China’s MSS.
🎯 Targets: healthcare, defense, academia
🛠️ Tools: Mimikatz, BloodHound, Impacket
🌍 Active in the U.S., UK, Japan, India & more
Espionage vs disruption — which do you see as their long-term mission?
Follow @technadu for continuous APT tracking.

#StonePanda #APT10 #CyberEspionage #ChinaAPT #ThreatActor #Cyble

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: https://jsac.jpcert.or.jp.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/mirrorface

Happy Thursday everyone!

Today's #readoftheday is brought to you by the Cybereason Security Services Team as they report their findings from a campaign they dubbed #CuckooSpear, and this is just part 1!

They attributed this campaign to #APT10, found some new tools and capabilities that the group has, and discuss the luring techniques, and much more! They talk about the techniques and tactics that they observed, they tools and LOLBAS's that were abused.

SPEAKING of techniques, APT10 used three different ways to gain persistence: scheduled tasks were created, they abused WMI Consumer Event (a method of subscribing to certain system events, then enabling an action of some sort), and creating Windows services.

This report provides great insight to the adversaries techniques, and I look forward to the rest of the parts! Enjoy and Happy Hunting!

CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective
https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor

Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting Cyborg Security, Now Part of Intel 471

Linux backdoor is a Windows malware knockoff: https://arstechnica.com/security/2023/09/never-before-seen-linux-backdoor-is-a-windows-malware-knockoff/

.#security #linux #SprySOCKS #Trochilus #APT10

Evolution of LODEINFO #backdoor shellcode

#apts #apt10 #threatintel #dfir
#infosec
https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/