Threat hunters have shed more light on a previously disclosed malware campaign undertaken by the China-aligned MirrorFace threat actor that targeted a diplomatic organization in the European Union with a backdoor known as ANEL.
The attack, detected by ESET in late August 2024, singled out a Central European diplomatic institute with lures related to Word Expo, which is scheduled to kick off in Osaka, Japan, next month.
The activity has been codenamed Operation AkaiRyū (Japanese for RedDragon). Active since at least 2019, MirrorFace is also referred to as Earth Kasha. It’s assessed to be a subgroup within the APT10 umbrella.
While known for its exclusive targeting of Japanese entities, the threat actor’s attack on a European organization marks a departure from its typical victimology footprint.
That’s not all. The intrusion is also notable for deploying a heavily customized variant of AsyncRAT and ANEL (aka UPPERCUT), a backdoor previously linked to APT10.
The use of ANEL is significant not only because it highlights a shift from LODEINFO but also the return of the backdoor after it was discontinued sometime in late 2018 or early 2019.
“Unfortunately, we are not aware of any particular reason for MirrorFace to switch from using LODEINFO to ANEL,” ESET told The Hacker News. “However, we didn’t observe LODEINFO being used throughout the whole 2024 and so far, we haven’t seen it being used in 2025 as well. Therefore it seems, MirrorFace switched to ANEL and abandoned LODEINFO for now.”
The Slovakian cybersecurity company also noted that Operation AkaiRyū overlaps with Campaign C which was documented by Japan’s National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) earlier this January.
Other major changes include the use of a modified version of AsyncRAT and Visual Studio Code Remote Tunnels to establish stealthy access to the compromised machines, the latter of which has become a tactic increasingly favored by multiple Chinese hacking groups.
The attack chains involve using spear-phishing lures to persuade recipients into opening booby-trapped documents or links that launch a loader component named ANELLDR via DLL side-loading that then decrypts and loads ANEL. Also dropped is a modular backdoor named HiddenFace (aka NOOPDOOR) that’s only used by MirrorFace.
“However, there are still a lot of missing pieces of the puzzle to draw a complete picture of the activities,” ESET said. “One of the reasons is MirrorFace’s improved operational security, which has become more thorough and hinders incident investigations by deleting the delivered tools and files, clearing Windows event logs, and running malware in Windows Sandbox.”
