Full Report
The nation-state threat actor known as MirrorFace has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan. The activity, detected by Trend Micro in March 2025, involved the use of spear-phishing lures to deliver an updated version of a backdoor called ANEL. "The ANEL file from
Analysis Summary
# Threat Actor: MirrorFace (Earth Kasha)
## Attribution & Identity
* **Primary Name:** MirrorFace
* **Associated Group/Alias:** Earth Kasha
* **Assessed Affiliation:** China-aligned threat actor, assessed to be a sub-cluster within APT10.
## Activity Summary
MirrorFace has been observed conducting a cyber espionage campaign (Operation AkaiRyū) targeting government agencies and public institutions in Japan and Taiwan, detected in March 2025.
* An earlier campaign referred to as Operation AkaiRyū targeted a diplomatic organization in the European Union in August 2024 using the ANEL backdoor.
* **Recent Campaign (March 2025):** Focus on expanding footprint in Japan and Taiwan to conduct information theft to advance strategic objectives.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails, sometimes sent from legitimate-but-compromised accounts.
* **Delivery Mechanism:** Emails contain an embedded Microsoft OneDrive URL leading to a ZIP file. The ZIP includes a malware-laced Excel document and a macro-enabled dropper (ROAMINGMOUSE).
* **Execution Chain:**
1. ROAMINGMOUSE decodes and drops the contents of the ZIP file (including JSLNTOOL.exe/JSTIEE.exe/JSVWMNG.exe, JSFC.dll (ANELLDR), an encrypted ANEL payload, and MSVCR100.dll).
2. The actor launches a legitimate binary (e.g., `explorer.exe`) and uses it to sideload the malicious DLL (`JSFC.dll`/ANELLDR).
3. ANELLDR decrypts and launches the ANEL backdoor.
* **Post-Exploitation:**
* The updated ANEL payload supports in-memory execution of Beacon Object Files (BOFs), allowing for the extension of the implanted Cobalt Strike agent.
* Leveraged the open-source tool SharpHide to launch a new version of the NOOPDOOR backdoor.
* Environment reconnaissance via backdoor commands: capturing screenshots, running active process lists, and gathering domain information.
## Targeting
* **Sectors:** Government agencies and public institutions.
* **Geography:** Japan, Taiwan, and previously, a diplomatic organization within the European Union.
* **Victims:** Entities holding high-value assets such as sensitive governance data, intellectual property, infrastructure data, and access credentials.
## Tools & Infrastructure
* **Malware Families Used:**
* **ANEL** (aka UPPERCUT): Primary backdoor.
* **ROAMINGMOUSE:** Macro-enabled dropper used since at least the previous year.
* **NOOPDOOR** (aka HiddenFace): Secondary backdoor.
* **Infrastructure:**
* C2 communications utilizing **DNS-over-HTTPS (DoH)** via NOOPDOOR to conceal IP address lookups.
## Implications
MirrorFace (Earth Kasha) remains an active and evolving Advanced Persistent Threat, focused on cyber espionage. The adoption of in-memory BOF execution within the ANEL payload suggests an attempt to evade traditional endpoint detection mechanisms and enhance post-exploitation capabilities without writing further components to disk. The continued focus on government and public sectors indicates strategic goals aligned with nation-state information theft.
## Mitigations
* Implement proactive security measures, particularly for organizations holding sensitive governance data, IP, or infrastructure credentials.
* Maintain vigilance against spear-phishing campaigns, especially those leveraging OneDrive links for initial malware delivery.
* Monitor for anomalies associated with DLL sideloading of approved executables (e.g., `explorer.exe` loading unexpected DLLs).
* Employ network monitoring solutions capable of detecting and analyzing DoH traffic to identify covert C2 communications.