Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
MirrorFace Expands Operations, Revives Anel Backdoor for Espionage
A threat actor associated with Chinese cyberespionage campaigns against Japan stepped outside its East Asian comfort zone to target a European organization with a refreshed set of hacking tools.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Researchers from Eset said in a Tuesday blog post they spotted the hacking group tracked as MirrorFace and Earth Kasha deploying a backdoor previously exclusively used by a threat group tracked as APT10. The U.S. Department of Justice in 2018 indicted in 2018 two APT10 hackers working for a private sector hacking vendor used by the ministry. China has cultivated a network of companies that share tools and procedures among themselves to conduct cyberespionage on its behalf.
The backdoor is known as Anel, also tracked as Uppercut. Its use by MirrorFace – Eset’s name for the group – “is surprising, as it was believed that Anel was abandoned around the end of 2018 or the start of 2019 and that Lodeinfo succeeded it, appearing later in 2019,” Eset researcher’s wrote.
MirrorFace’s use of the backdoor and similarities in targeting and malware caused Eset to reclassify the group as a subgroup of APT10.
Eset detected MirrorFace hackers attacking in August 2024 a “Central European diplomatic institute” using a spear phishing message referencing upcoming Expo 2025 is Osaka, Japan, as bait.
The first message wasn’t malicious, but once the target responded, MirrorFace operators responded with an email containing a link to an archived file labelled The EXPO Exhibition in Japan in 2025.docx.lnk. Opening the malicious file deployed additional payloads, including a Word template with VBA macros and a signed executable from JustSystems Corporation used for DLL side-loading.
Once executed, the payload deployed Anel. Unlike earlier versions, Anel was AES-encrypted on disk and decrypted only in memory, making detection difficult. The backdoor communicated with its command and control server over HTTP, encrypting transmissions to evade monitoring.
To maintain persistence, MirrorFace deployed HiddenFace, its flagship backdoor, alongside scheduled tasks and registry modifications. Attackers systematically wiped event logs, deleted forensic artifacts and removed payloads after execution to hinder detection.
Researchers also observed the group running a heavily customized AsyncRAT inside Windows Sandbox, allowing it to operate in isolation and evade security monitoring. The Trojan was delivered in a password-protected archive and executed through a scheduled task, further obscuring its presence.
MirrorFace also abused Visual Studio Code’s remote tunnels, a legitimate feature, to establish stealthy, persistent access to compromised machines. This method enabled code execution and tool deployment while bypassing firewall and endpoint security protections.
Researchers suspect the attackers exported Google Chrome’s web data, including autofill details and stored credentials, into a SQLite database, potentially exposing sensitive diplomatic communications and network credentials.