Full Report
2025-03-18 • WeLiveSecurity • Dominik Breitenbacher • win.anel, win.asyncrat Open article on Malpedia
Analysis Summary
The provided context is very limited, containing only the title, authorship metadata, and links related to an investigation titled "Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor." The summary will be based on inferences derived from the title and known indicators within the context, as detailed operational information is absent.
# Threat Actor: MirrorFace / Unknown Attribution
## Attribution & Identity
Attribution is not explicitly stated in the provided context, but the operation is tracked under the name **Operation AkaiRyū**. The actor utilizes the malware known as **MirrorFace**.
## Activity Summary
The recent activity centers around Operation AkaiRyū, which involves inviting European targets to **Expo 2025** (presumably as a lure) and the revival/use of the **ANEL backdoor**.
## Tactics, Techniques & Procedures
Based on the context, the primary TTP indicated is the deployment of pre-existing malware:
- Use of the **ANEL backdoor**.
- Use of the **MirrorFace** malware/platform.
- The context associates the activity with `win.anel` and `win.asyncrat` (suggesting Remote Access Trojan capabilities).
## Targeting
- Sectors: **Unspecified**, but the lure involves Expo 2025, suggesting potential engagement with entities interested in or preparatory to the event.
- Geography: **Europe** (explicitly mentioned in the lure context).
- Victims: **Unspecified** in the provided text snippet.
## Tools & Infrastructure
- Malware families used:
- **MirrorFace**
- **ANEL backdoor**
- **AsyncRAT** (implied by association)
- Infrastructure (C2, domains, IPs): **None provided** in the context.
## Implications
The revival of the ANEL backdoor suggests that the threat actor is reusing established, possibly stable, implant infrastructure. The focus on a high-profile, international event like Expo 2025 indicates a potential espionage or influence operation targeting entities across Europe.
## Mitigations
- Be highly skeptical of unsolicited invitations or correspondence related to Expo 2025, especially if the sender is unexpected or uses generic lures.
- Ensure systems can detect and block known indicators associated with the ANEL and MirrorFace malware families.
- Monitor networks for connections to known C2 infrastructure linked to these malware families.