{ "id": "f5a239d0-e5ee-4086-9c43-9928f0ffccb5", "created_at": "2026-04-06T00:13:57.263235Z", "updated_at": "2026-04-10T03:33:45.755377Z", "deleted_at": null, "sha1_hash": "63625b200d142f718e346d3ef146ac15ea371ca8", "title": "Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43181, "plain_text": "Cuckoo Spear – the latest Nation-state Threat Actor targeting\r\nJapanese companies\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 20:39:06 UTC\r\nHighly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and\r\nchallenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation.\r\nGovernment agencies or state-sponsored groups, are engaging in cyber-attacks for various reasons, including\r\nespionage, sabotage, or for political influence. \r\nCuckoo Spear is the latest nation-state threat discovered through Cybereason threat analysis. By tying multiple\r\nincidents together, the report outlines how the associated Threat Actor persists stealthily on their victims' network\r\nfor years. In fact Cybereason identified that the associated Threat Actor was present in victim networks for a time\r\nperiod between 2 and 3 years. \r\nDisclosing new information about the APT10 group’s new arsenal and techniques, Cybereason highlights how\r\ndefenders (organisations and governments) must implement robust security protocols, monitor for and detect\r\nsuspicious activities, and collaborate with cybersecurity experts to mitigate the risks posed by such threats whilst\r\npreventing these attacks. \r\nSince December 2019, the cybersecurity landscape has been continuously challenged by the emergence and\r\nevolution of the LODEINFO malware. Recent investigations suggest the involvement of a Chinese state-backed\r\nAdvanced Persistent Threat (APT) group, likely APT10, in orchestrating these attacks. A recent development\r\nidentified ties between the Threat Actor utilizing LODEINFO with a new malware family that is called\r\nNOOPDOOR. Cybereason named this threat Campaign “Cuckoo Spear”.\r\nAPT10 is a sophisticated Chinese state-sponsored cyber espionage group that has been active as early as 2006,\r\naccording to the Department of Defense. The information security community widely believes the group's focus is\r\nto support Chinese national security goals by gathering intelligence against the relevant targets. APT10 often\r\ntargets various critical infrastructure sectors such as communications, manufacturing and various public sectors. \r\nCuckoo Spear is related to the APT10 Intrusion Set because of the links made between various incidents from\r\nThreat Actors “Earth Kasha” (Trend Micro *) and “MirrorFace”  including both APT10’s old arsenal\r\n(LODEINFO) and new arsenal identified in the Cybereason Threat Analysis Report. The actors behind\r\nNOOPDOOR not only utilized LODEINFO during the campaign, but also utilized the new backdoor to exfiltrate\r\ndata from compromised enterprise networks. The intention behind this behaviour is likely espionage, as Threat\r\nActors targeted critical infrastructure sectors and academic institutions, which are often intelligence gathering\r\ntargets.\r\nhttps://www.cybereason.com/blog/cuckoo-spear\r\nPage 1 of 3\n\nTechniques employed to load this highly sophisticated malware\r\nIn this recent Threat Analysis Report, Cybereason exhibits a new backdoor utilized by Threat Actors called\r\nNOOPDOOR, as dubbed by ESET and Trend Micro. NOOPDOOR is a 64-bit modular backdoor which employs\r\nDGA-based C2 communication. The backdoor is seen to be loaded by NOOPLDR, which is responsible for\r\ndecrypting and executing NOOPDOOR.\r\nCybereason observed LODEINFO and NOOPLDR/NOOPDOOR (first known in January 2024) both in one case\r\nlinking them together. As mentioned in different reports*, Threat Actors started to incorporate NOOPDOOR in the\r\nnew campaigns. Based on the analysis of LODEINFO and as well as on the observation of these campaigns,\r\nLODEINFO appears to be used as a primary backdoor and NOOPDOOR acts as a secondary backdoor, keeping\r\npersistence within the compromised corporate network for more than two years. \r\nCybereason Research team Jin Ito, Incident Response Engineer, Loïc Castel, Incident Response Investigator, from\r\nthe Cybereason IR Team and Kotaro Ogino, CTI Analyst,  Cybereason Security Operations Team explored the\r\nsophisticated functionalities and tactics that define the most recent iteration of NOOPDOOR and NOOPLDR\r\nmalware and its surrounding capabilities documenting in detail within the Threat Analysis Report. \r\nA Sophisticated Set of Tools \r\nDuring recent incident response activities, our team has uncovered and meticulously analyzed the newest arsenal\r\ndeployed by the Threat Actor. This analysis, fueled by advanced reverse engineering techniques, revealed a\r\nsophisticated set of tools designed for stealth infiltration, data exfiltration, and persistent access.\r\nA  variety of different techniques were used to lure in potential victims, but the Threat Actors mainly rely on\r\nSpear-Phishing as the common initial access technique with LODEINFO; however, malicious actors have started\r\nto shift their tactics to exploiting vulnerabilities. NOOPDOOR must be loaded first on the victim machines, which\r\nis done through persistence mechanisms and Cybereason observed three different methods: \r\nScheduled Tasks: Threat Actors maintain persistence within the environment by abusing Scheduled Tasks. The\r\nscheduled task consists of execution of MSBuild, which loads malicious XML files and compiles the\r\nNOOPDOOR loader at runtime. \r\nWMI Consumer Events: The Threat Actors leverage the WMI event consumer, which executes the main action\r\nwhen it gets triggered by a filter. The Threat actor then makes use of ActiveScript, which appears to execute in the\r\nJScript engine. For the consumer action in this WMI event, the Threat Actor leverages MSBuild execution for\r\nNOOPDOOR loader, similar to the scheduled task which also leverages MSBuild. Utilizing WMI event\r\nconsumers are the alternate methodologies to persist within the environment.\r\nWindows Services (Service DLL): Threat actors also maintain persistence within the environment by creating\r\nmalicious services that load unsigned DLL files. \r\nDetailed analysis on loading malicious code, and the reverse engineering of the Cuckoo Spear tools : NOOPLDR\r\nand NOOPDOOR are found in the Threat Analysis Report Arsenal Analysis chapter.\r\nStrategies for Threat Hunting and Defense\r\nhttps://www.cybereason.com/blog/cuckoo-spear\r\nPage 2 of 3\n\nCybereason provided hunting queries to identify Cuckoo Spear presence in the network and has shared Indicators\r\nof Compromise (IOCs) within the Analysis Report to better detect them and potentially block Cuckoo Spear\r\nactivity. \r\nDue to the potential complexity of the containment, eradication and recovery process, it is highly recommended to\r\nhire a dedicated Incident Response team upon discovery of this Threat Actor being on the network. \r\nIn many APT related cases, the Threat Actor has already gained network access for several months or years before\r\nany investigation has started. Eradication of this Threat Actor requires in-depth preparation and effective security\r\nmeasures so the attacker cannot return. Although remediation actions will differ for each organization, Cybereason\r\nSecurity Services suggest, in general, to conduct an organization scale remediation day where the following\r\nactions are implemented:\r\nPrepare a clean uncompromised network\r\nDisabled all internet access to and from the internet\r\nBlock all NOOPDOOR related C2 domains and IPs\r\nReset all user passwords\r\nRebuild infected machines\r\nConnect rebuilt machines to the clean network\r\nLeveraging open-source intelligence, Cybereason provides actionable insights on how organizations can\r\neffectively hunt and defend against these persistent threats. If you have concerns about nation-state level threats or\r\nneed advice on how to protect against them, feel free to ask Cybereason for more specific information.\r\nFor detailed Analysis, hunting queries and scripting, read the latest Cybereason Threat Report now.\r\n*Trend Micro and ESET research findings JSAC2024\r\nSource: https://www.cybereason.com/blog/cuckoo-spear\r\nhttps://www.cybereason.com/blog/cuckoo-spear\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cybereason.com/blog/cuckoo-spear" ], "report_names": [ "cuckoo-spear" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63625b200d142f718e346d3ef146ac15ea371ca8.pdf", "text": "https://archive.orkl.eu/63625b200d142f718e346d3ef146ac15ea371ca8.txt", "img": "https://archive.orkl.eu/63625b200d142f718e346d3ef146ac15ea371ca8.jpg" } }