Here is the rewritten content:
Researchers have provided additional details about a previously reported malware campaign by the China-aligned MirrorFace threat actor, which targeted a European Union diplomatic organization using the ANEL backdoor.
The attack, detected by ESET in August 2024, focused on a Central European diplomatic institute using lures related to the upcoming World Expo in Osaka, Japan.
The operation, codenamed Operation AkaiRyū, is attributed to MirrorFace, also known as Earth Kasha, which is believed to be a subgroup within the APT10 umbrella and has been active since at least 2019.
Notably, the attack on a European organization marks a departure from MirrorFace’s typical targeting of Japanese entities.
The intrusion also involved the use of a heavily customized variant of AsyncRAT and ANEL, a backdoor previously linked to APT10.
The deployment of ANEL is significant, as it highlights a shift away from LODEINFO and the return of the backdoor after it was discontinued in late 2018 or early 2019.
According to ESET, “Unfortunately, we are not aware of any particular reason for MirrorFace to switch from using LODEINFO to ANEL. However, we didn’t observe LODEINFO being used throughout 2024 and so far, we haven’t seen it being used in 2025 as well. Therefore, it seems MirrorFace switched to ANEL and abandoned LODEINFO for now.”
ESET also noted that Operation AkaiRyū overlaps with Campaign C, which was documented by Japan’s National Police Agency and National Center of Incident Readiness and Strategy for Cybersecurity earlier this January.
Other notable changes include the use of a modified version of AsyncRAT and Visual Studio Code Remote Tunnels to establish stealthy access to compromised machines, a tactic increasingly favored by multiple Chinese hacking groups.
The attack chains involve using spear-phishing lures to launch a loader component named ANELLDR via DLL side-loading, which then decrypts and loads ANEL. A modular backdoor named HiddenFace is also dropped, which is only used by MirrorFace.
According to ESET, “However, there are still a lot of missing pieces of the puzzle to draw a complete picture of the activities. One of the reasons is MirrorFace’s improved operational security, which has become more thorough and hinders incident investigations by deleting delivered tools and files, clearing Windows event logs, and running malware in Windows Sandbox.”
