#LODEINFO

2025-03-18

#ESETresearch has uncovered the #MirrorFace Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute.
welivesecurity.com/en/eset-res

Surprisingly, #MirrorFace used #ANEL – a backdoor historically linked only to #APT10 – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.
Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments.
Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement.

#MirrorFace used an intricate execution chain to stealthily run a highly tweaked #AsyncRAT within #WindowsSandbox, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.
In another twist, #MirrorFace utilized #VSCode remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.
The group primarily leveraged #ANEL as a first-stage backdoor, #HiddenFace – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was #LODEINFO, which #MirrorFace typically employs.

We presented our findings about Operation AkaiRyū conducted by #MirrorFace at @jpcert_ac on January 22, 2025: jsac.jpcert.or.jp.
IoCs available in our GitHub repo: github.com/eset/malware-ioc/tr

2024-11-23

#日本#標的 に : #Earth_Kasha#テクノロジー企業#政府機関 狙って #LODEINFO#NOOPDOOR を展開 | Codebook|Security News
攻撃ではアクセスを取得した後、永続化を確立するためにCobalt Strike ... CrowdStrikeの研究者は、中国との関連が疑われる国家支援型脅威アクター「LIMINAL PANDA ...
codebook.machinarecord.com/thr

2024-11-22

Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
#LODEINFO #EarthKasha #MirrorStealer #FaceLoader
trendmicro.com/en_us/research/

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst