#ESETresearch noticed two #MirrorFace Excel documents, known as #ROAMINGMOUSE, were uploaded to VirusTotal from #Taiwan in March 2025. The documents contain a malicious VBA macro that deploys #ANEL backdoor on the compromised machine. @dbreitenbacher
The contents of the documents are written in traditional Chinese and the date used follows the Republic of China calendar. Based on this data and other information available to ESET, we assess with medium confidence that the target was a Taiwanese research institute.
Even though MirrorFace has been previously reported on targeting a Taiwanese entity, this is for the first time we don’t see any relation to Japan.
Our investigation indicates that both documents were used to target the same institute. MirrorFace employed a call-to-action textbox, asking targets to press “Enable editing” and then “Enable content” buttons to show the data in the worksheet.
Using multiple different malicious documents to compromise the same entity is an approach that was also observed in 2024 in “Case 1: Japanese research institute” described in our blogpost https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html.
The overall compromise chain, leading to the execution of #ANEL to establish the initial foothold, remained the same as some observed in 2024. In particular, the approach was described as “Case 1” in Trend Micro’s report https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html.
Besides the documents, a sample of #ANELLDR loader and a sample of #FaceXInjector were uploaded to VirusTotal from Taiwan around the same time as well.
IoCs

1BAC9E61C0D433964972BC91A5F38F31B85558C1 (ROAMINGMOUSE)
634D52E10E168A61C8201130F44925CC497C1251 (ROAMINGMOUSE)
E5F20192DB09EA033FEDD9CCEB782321EBB9C66E (FaceXInjector)
948CA0DAC99470775523809C1E7E60740B70C0FD (ANELLDR)
C&Cs:
64.176.34[.]120 (ANEL)
192.46.215[.]56 (ANEL)

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: https://jsac.jpcert.or.jp.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/mirrorface

Cyber-Attacks on Japan: MirrorFace Threatens National Security - https://www.redpacketsecurity.com/japan-faces-prolonged-cyber-attacks-linked-to-china-s-mirrorface/

#threatintel #Japan #cyber_attack #MirrorFace

@screaminggoat ☝️ "...determined that the MirrorFace attack campaign is an organized cyber attack suspected to be linked to China, with the primary objective of stealing information related to Japan's national security and advanced technology."

Shocked face -> 🤷🏻‍♂️

#Japan #CCP #china #mirrorface #cyberattack #infosec #natsec

Associated Press: Japan links Chinese hacker MirrorFace to dozens of cyberattacks targeting security and tech data. “Japan on Wednesday linked more than 200 cyberattacks over the past five years targeting the country’s national security and high technology data to a Chinese hacking group, MirrorFace, detailing their tactics and calling on government agencies and businesses to reinforce […]

https://rbfirehose.com/2025/01/09/associated-press-japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data/