Threat Hunter sheds more light on previously disclosed malware campaigns conducted by China-lined Mirrorface threat actors targeting backdoors known as Anels targeting diplomatic organisations in the European Union.
The attack, detected by ESET in late August 2024, has selected a Central European Diplomatic Institute with lures associated with Word Expo, which will be launched in Osaka, Japan next month.
This activity is called Akairyū (Japanese for Japanese) operations. Mirrorface, which has been active since at least 2019, is also known as Earth Kasha. It is rated as a subgroup within the APT10 umbrella.
Threat actors’ attacks on European organizations, known for their monopoly targeting of Japanese companies, show a departure from the typical victim footprint.
That’s not all. The intrusion is also noteworthy because it deploys heavily customized variants of Asyncrat and Anel (aka Appercut), backdoors previously linked to APT10.
The use of ANEL not only highlights a shift from Lodeinfo, but also highlights the return of backdoors after it was repealed in late 2018 or early 2019.
“Unfortunately, we don’t know any specific reasons why Mirrorface switch from using Lodeinfo for Anel,” Eset told Hacker News. “However, we didn’t observe that Lodeinfo was in use throughout 2024, but so far we have not seen it being used either in 2025. So Mirrorface switched to Anel and abandoned Lodeinfo.”
The Slovak cybersecurity company also noted that Operation Akariyū overlaps with Campaign C recorded by the National Centre of Japan’s National Police Agency (NPA) and Cybersecurity Strategy (NCSC) in early January this year.
Other major changes include establishing stealth access to machines where the use of modified versions of Asyncrat and Visual Studio code has compromised.
The attack chain uses a spearfishing lure to decrypt and load anel with the recipients open a booby confinement document or link that launches a loader component named Aneldr through the DLL sideload. It will also remove a modular backdoor named Hiddenface (also known as Noopdoor), which is only used by Mirrorface.
“But there are still a lot of missing parts of the puzzle to draw a full picture of the activity,” ESET said. “One reason is that Mirrorface’s operational security has been improved. This is becoming more thorough and preventing incident investigation by removing delivered tools and files, clearing Windows event logs, and running malware in Windows sandboxes.”
Source link
