{ "id": "162a2815-2197-40dd-8bfa-4c2bdf21da76", "created_at": "2026-04-06T00:21:25.687631Z", "updated_at": "2026-04-10T13:12:28.004435Z", "deleted_at": null, "sha1_hash": "63ba45d66828aa10a70a8431f97126753b73a0fb", "title": "Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 800202, "plain_text": "Unmasking MirrorFace: Operation LiberalFace targeting Japanese\r\npolitical entities\r\nBy Dominik Breitenbacher\r\nArchived: 2026-04-05 14:14:30 UTC\r\nESET researchers discovered a spearphishing campaign, launched in the weeks leading up to the Japanese House of\r\nCouncillors election in July 2022, by the APT group that ESET Research tracks as MirrorFace. The campaign, which we\r\nhave named Operation LiberalFace, targeted Japanese political entities; our investigation revealed that the members of a\r\nspecific political party were of particular focus in this campaign. ESET Research unmasked details about this campaign and\r\nthe APT group behind it at the AVAR 2022 conference at the beginning of this month.\r\nKey points of the blogpost:\r\nAt the end of June 2022, MirrorFace launched a campaign, which we have named Operation LiberalFace, that\r\ntargeted Japanese political entities.\r\nSpearphishing email messages containing the group’s flagship backdoor LODEINFO were sent to the targets.\r\nLODEINFO was used to deliver additional malware, exfiltrate the victim’s credentials, and steal the victim’s\r\ndocuments and emails.\r\nA previously undescribed credential stealer we have named MirrorStealer was used in Operation LiberalFace.\r\nESET Research performed an analysis of the post-compromise activities, which suggests that the observed actions\r\nwere carried out in a manual or semi-manual manner.\r\nDetails about this campaign were shared at the AVAR 2022 conference.\r\nMirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some\r\nspeculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any\r\nknown APT group. Therefore, we are tracking it as a separate entity that we've named MirrorFace. In particular, MirrorFace\r\nand LODEINFO, its proprietary malware used exclusively against targets in Japan, have been reported as targeting media,\r\ndefense-related companies, think tanks, diplomatic organizations, and academic institutions. The goal of MirrorFace is\r\nespionage and exfiltration of files of interest.\r\nWe attribute Operation LiberalFace to MirrorFace based on these indicators:\r\nTo the best of our knowledge, LODEINFO malware is exclusively used by MirrorFace.\r\nThe targets of Operation LiberalFace align with traditional MirrorFace targeting.\r\nA second-stage LODEINFO malware sample contacted a C\u0026C server that we track internally as part of MirrorFace\r\ninfrastructure.\r\nOne of the spearphishing emails sent in Operation LiberalFace posed as an official communication from the PR department\r\nof a specific Japanese political party, containing a request related to the House of Councillors elections, and was purportedly\r\nsent on behalf of a prominent politician. All spearphishing emails contained a malicious attachment that upon execution\r\ndeployed LODEINFO on the compromised machine.\r\nAdditionally, we discovered that MirrorFace has used previously undocumented malware, which we have named\r\nMirrorStealer, to steal its target’s credentials. We believe this is the first time this malware has been publicly described.\r\nIn this blogpost, we cover the observed post-compromise activities, including the C\u0026C commands sent to LODEINFO to\r\ncarry out the actions. Based on certain activities performed on the affected machine, we think that the MirrorFace operator\r\nissued commands to LODEINFO in a manual or semi-manual manner.\r\nInitial access\r\nMirrorFace started the attack on June 29th, 2022, distributing spearphishing emails with a malicious attachment to the\r\ntargets. The subject of the email was \u003credacted\u003eSNS用動画 拡散のお願い (translation from Google Translate: [Important]\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 1 of 12\n\n\u003credacted\u003e Request for spreading videos for SNS). Figure 1 and Figure 2 show its content.\r\nFigure 1. Original text of the email\r\nFigure 2. Translated version\r\nPurporting to be a Japanese political party’s PR department, MirrorFace asked the recipients to distribute the attached videos\r\non their own social media profiles (SNS – Social Network Service) to further strengthen the party’s PR and to secure victory\r\nin the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy.\r\nSince the House of Councillors election was held on July 10th, 2022, this email clearly indicates that MirrorFace sought the\r\nopportunity to attack political entities. Also, specific content in the email indicates that members of a particular political\r\nparty were targeted.\r\nMirrorFace also used another spearphishing email in the campaign, where the attachment was titled 【参考】\r\n220628\u003credacted\u003e発・\u003credacted\u003e選挙管理委員会宛文書(添書分).exe (translation from Google Translate:\r\n[Reference] 220628 Documents from the Ministry of \u003credacted\u003e to \u003credacted\u003e election administration committee\r\n(appendix).exe). The attached decoy document (shown in Figure 3) references the House of Councillors election as well.\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 2 of 12\n\nFigure 3. Decoy document shown to the target\r\nIn both cases, the emails contained malicious attachments in the form of self-extracting WinRAR archives with deceptive\r\nnames \u003credacted\u003eSNS用動画 拡散のお願い.exe (translation from Google Translate: \u003credacted\u003e Request for spreading\r\nvideos for SNS.exe) and 【参考】220628\u003credacted\u003e発・\u003credacted\u003e選挙管理委員会宛文書(添書分).exe (translation\r\nfrom Google Translate: [Reference] 220628 Documents from the Ministry of \u003credacted\u003e to \u003credacted\u003e election\r\nadministration committee (appendix).exe) respectively.\r\nThese EXEs extract their archived content into the %TEMP% folder. In particular, four files are extracted:\r\nK7SysMon.exe, a benign application developed by K7 Computing Pvt Ltd vulnerable to DLL search order hijacking\r\nK7SysMn1.dll, a malicious loader\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 3 of 12\n\nK7SysMon.Exe.db, encrypted LODEINFO malware\r\nA decoy document\r\nThen, the decoy document is opened to deceive the target and to appear benign. As the last step, K7SysMon.exe is executed\r\nwhich loads the malicious loader K7SysMn1.dll dropped alongside it. Finally, the loader reads the content of\r\nK7SysMon.Exe.db, decrypts it, and then executes it. Note this approach was also observed by Kaspersky and described in\r\ntheir report.\r\nIn this section, we describe the malware MirrorFace utilized in Operation LiberalFace.\r\nLODEINFO\r\nLODEINFO is a MirrorFace backdoor that is under continual development. JPCERT reported about the first version of\r\nLODEINFO (v0.1.2), which appeared around December 2019; its functionality allows capturing screenshots, keylogging,\r\nkilling processes, exfiltrating files, and executing additional files and commands. Since then, we have observed several\r\nchanges introduced to each of its versions. For instance, version 0.3.8 (which we first detected in June 2020) added the\r\ncommand ransom (which encrypts defined files and folders), and version 0.5.6 (which we detected in July 2021) added the\r\ncommand config, which allows operators to modify its configuration stored in the registry. Besides the JPCERT reporting\r\nmentioned above, a detailed analysis of the LODEINFO backdoor was also published earlier this year by Kaspersky.\r\nIn Operation LiberalFace, we observed MirrorFace operators utilizing both the regular LODEINFO and what we call the\r\nsecond-stage LODEINFO malware. The second-stage LODEINFO can be distinguished from the regular LODEINFO by\r\nlooking at the overall functionality. In particular, the second-stage LODEINFO accepts and runs PE binaries and shellcode\r\noutside of the implemented commands. Furthermore, the second-stage LODEINFO can process the C\u0026C command config,\r\nbut the functionality for the command ransom is missing.\r\nFinally, the data received from the C\u0026C server differs between the regular LODEINFO and the second-stage one. For the\r\nsecond-stage LODEINFO, the C\u0026C server prepends random web page content to the actual data. See Figure 4, Figure 5,\r\nand Figure 6 depicting the received data difference. Notice the prepended code snippet differs for every received data stream\r\nfrom the second-stage C\u0026C.\r\nFigure 4. Data received from the first-stage LODEINFO C\u0026C\r\nFigure 5. Data received from the second-stage C\u0026C\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 4 of 12\n\nFigure 6. Another data stream received from the second-stage C\u0026C\r\nMirrorStealer\r\nMirrorStealer, internally named 31558_n.dll by MirrorFace, is a credential stealer. To the best of our knowledge, this\r\nmalware has not been publicly described. In general, MirrorStealer steals credentials from various applications such as\r\nbrowsers and email clients. Interestingly, one of the targeted applications is Becky!, an email client that is currently only\r\navailable in Japan. All the stolen credentials are stored in %TEMP%\\31558.txt and since MirrorStealer doesn’t have the\r\ncapability to exfiltrate the stolen data, it depends on other malware to do it.\r\nPost-compromise activities\r\nDuring our research, we were able to observe some of the commands that were issued to compromised computers.\r\nInitial environment observation\r\nOnce LODEINFO was launched on the compromised machines and they had successfully connected to the C\u0026C server, an\r\noperator started issuing commands (see Figure 7).\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 5 of 12\n\nFigure 7. Initial environment observation by the MirrorFace operator via LODEINFO\r\nFirst, the operator issued one of the LODEINFO commands, print, to capture the screen of the compromised machine. This\r\nwas followed by another command, ls, to see the content of the current folder in which LODEINFO resided (i.e.,\r\n%TEMP%). Right after that, the operator utilized LODEINFO to obtain network information by running net view and net\r\nview /domain. The first command returns the list of computers connected to the network, while the second returns the list of\r\navailable domains.\r\nCredential and browser cookie stealing\r\nHaving collected this basic information, the operator moved to the next phase (see Figure 8).\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 6 of 12\n\nFigure 8. Flow of instructions sent to LODEINFO to deploy credential stealer, collect credentials and browser cookies, and\r\nexfiltrate them to the C\u0026C server\r\nThe operator issued the LODEINFO command send with the subcommand -memory to deliver MirrorStealer malware to the\r\ncompromised machine. The subcommand -memory was used to indicate to LODEINFO to keep MirrorStealer in its\r\nmemory, meaning the MirrorStealer binary was never dropped on disk. Subsequently, the command memory was issued.\r\nThis command instructed LODEINFO to take MirrorStealer, inject it into the spawned cmd.exe process, and run it.\r\nOnce MirrorStealer had collected the credentials and stored them in %temp%\\31558.txt, the operator used LODEINFO to\r\nexfiltrate the credentials.\r\nThe operator was interested in the victim’s browser cookies as well. However, MirrorStealer doesn’t possess the capability\r\nto collect those. Therefore, the operator exfiltrated the cookies manually via LODEINFO. First, the operator used the\r\nLODEINFO command dir to list the contents of the folders %LocalAppData%\\Google\\Chrome\\User Data\\ and\r\n%LocalAppData%\\Microsoft\\Edge\\User Data\\. Then, the operator copied all the identified cookie files into the %TEMP%\r\nfolder. Next, the operator exfiltrated all the collected cookie files using the LODEINFO command recv. Finally, the operator\r\ndeleted the copied cookie files from the %TEMP% folder in an attempt to remove the traces.\r\nDocument and email stealing\r\nIn the next step, the operator exfiltrated documents of various kinds as well as stored emails (see Figure 9).\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 7 of 12\n\nFigure 9. Flow of the instructions sent to LODEINFO to exfiltrate files of interest\r\nFor that, the operator first utilized LODEINFO to deliver the WinRAR archiver (rar.exe). Using rar.exe, the operator\r\ncollected and archived files of interest that were modified after 2022-01-01 from the folders %USERPROFILE%\\ and\r\nC:\\$Recycle.Bin\\. The operator was interested in all such files with the extensions .doc*, .ppt*, .xls*, .jtd, .eml, .*xps, and\r\n.pdf.\r\nNotice that besides the common document types, MirrorFace was also interested in files with the .jtd extension. This\r\nrepresents documents of the Japanese word processor Ichitaro developed by JustSystems.\r\nOnce the archive was created, the operator delivered the Secure Copy Protocol (SCP) client from the PuTTY suite\r\n(pscp.exe) and then used it to exfiltrate the just-created RAR archive to the server at 45.32.13[.]180. This IP address had not\r\nbeen observed in previous MirrorFace activity and had not been used as a C\u0026C server in any LODEINFO malware that we\r\nhave observed. Right after the archive was exfiltrated, the operator deleted rar.exe, pscp.exe, and the RAR archive to clean\r\nup the traces of the activity.\r\nDeployment of second-stage LODEINFO\r\nThe last step we observed was delivering the second-stage LODEINFO (see Figure 10).\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 8 of 12\n\nFigure 10. Flow of instructions sent to LODEINFO to deploy second-stage LODEINFO\r\nThe operator delivered the following binaries: JSESPR.dll, JsSchHlp.exe, and vcruntime140.dll to the compromised\r\nmachine. The original JsSchHlp.exe is a benign application signed by JUSTSYSTEMS CORPORATION (makers of the\r\npreviously mentioned Japanese word processor, Ichitaro). However, in this case the MirrorFace operator abused a known\r\nMicrosoft digital signature verification issue and appended RC4 encrypted data to the JsSchHlp.exe digital signature.\r\nBecause of the mentioned issue, Windows still considers the modified JsSchHlp.exe to be validly signed.\r\nJsSchHlp.exe is also susceptible to DLL side-loading. Therefore, upon execution, the planted JSESPR.dll is loaded (see\r\nFigure 11).\r\nFigure 11. Execution flow of second-stage LODEINFO\r\nJSESPR.dll is a malicious loader that reads the appended payload from JsSchHlp.exe, decrypts it, and runs it. The payload is\r\nthe second-stage LODEINFO, and once running, the operator utilized the regular LODEINFO to set the persistence for the\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 9 of 12\n\nsecond-stage one. In particular, the operator ran the reg.exe utility to add a value named JsSchHlp to the Run registry key\r\nholding the path to JsSchHlp.exe.\r\nHowever, it appears to us the operator didn’t manage to make the second-stage LODEINFO communicate properly with the\r\nC\u0026C server. Therefore, any further steps of the operator utilizing the second-stage LODEINFO remain unknown to us.\r\nInteresting observations\r\nDuring the investigation, we made a few interesting observations. One of them is that the operator made a few errors and\r\ntypos when issuing commands to LODEINFO. For example, the operator sent the string cmd /c dir \"c:\\use\\\" to LODEINFO,\r\nwhich most likely was supposed to be cmd /c dir \"c:\\users\\\".\r\nThis suggests the operator is issuing commands to LODEINFO in a manual or semi-manual manner.\r\nOur next observation is that even though the operator performed a few cleanups to remove traces of the compromise, the\r\noperator forgot to delete %temp%\\31558.txt – the log containing the stolen credentials. Thus, at least this trace remained on\r\nthe compromised machine and it shows us that the operator was not thorough in the cleanup process.\r\nConclusion\r\nMirrorFace continues to aim for high-value targets in Japan. In Operation LiberalFace, it specifically targeted political\r\nentities using the then-upcoming House of Councillors election to its advantage. More interestingly, our findings indicate\r\nMirrorFace particularly focused on the members of a specific political party.\r\nDuring the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment\r\nand utilization of additional malware and tools to collect and exfiltrate valuable data from victims. Moreover, our\r\ninvestigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename ESET detection name Description\r\nF4691FF3B3ACD15653684F372285CAC36C8D0AEF K7SysMn1.dll Win32/Agent.ACLP LODEINFO loader.\r\nDB81C8719DDAAE40C8D9B9CA103BBE77BE4FCE6C K7SysMon.Exe.db N/A Encrypted LODEINFO.\r\nA8D2BE15085061B753FDEBBDB08D301A034CE1D5 JsSchHlp.exe Win32/Agent.ACLP\r\nJsSchHlp.exe with appende\r\nsecond-stage LODEINFO in\r\nsecurity directory.\r\n0AB7BB3FF583E50FBF28B288E71D3BB57F9D1395 JSESPR.dll Win32/Agent.ACLP Second-stage LODEINFO l\r\nE888A552B00D810B5521002304D4F11BC249D8ED 31558_n.dll Win32/Agent.ACLP MirrorStealer credential ste\r\nNetwork\r\nIP Provider First Seen Details\r\n5.8.95[.]174 G-Core Labs S.A. 2022-06-13 LODEINFO C\u0026C server.\r\n45.32.13[.]180 AS-CHOOPA 2022-06-29 Server for data exfiltration.\r\n103.175.16[.]39 Gigabit Hosting Sdn Bhd 2022-06-13 LODEINFO C\u0026C server.\r\n167.179.116[.]56 AS-CHOOPA 2021-10-20\r\nwww.ninesmn[.]com, second-stage LODEINFO C\u0026C\r\nserver.\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 10 of 12\n\nIP Provider First Seen Details\r\n172.105.217[.]233 Linode, LLC 2021-11-14\r\nwww.aesorunwe[.]com, second-stage LODEINFO\r\nC\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nNote that although this blogpost does not provide a complete overview of LODEINFO capabilities because this information\r\nis already available in other publications, the MITRE ATT\u0026CK table below contains all techniques associated with it.\r\nTactic ID Name Description\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nA malicious WinRAR SFX archive is attached to\r\na spearphishing email.\r\nExecution\r\nT1106 Native API\r\nLODEINFO can execute files using the\r\nCreateProcessA API.\r\nT1204.002 User Execution: Malicious File\r\nMirrorFace operators rely on a victim opening a\r\nmalicious attachment sent via email.\r\nT1559.001\r\nInter-Process Communication:\r\nComponent Object Model\r\nLODEINFO can execute commands via\r\nComponent Object Model.\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nLODEINFO adds an entry to the HKCU Run key\r\nto ensure persistence.\r\nWe observed MirrorFace operators manually\r\nadding an entry to the HKCU Run key to ensure\r\npersistence for the second-stage LODEINFO.\r\nDefense\r\nEvasion\r\nT1112 Modify Registry\r\nLODEINFO can store its configuration in the\r\nregistry.\r\nT1055 Process Injection LODEINFO can inject shellcode into cmd.exe.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nLODEINFO loader decrypts a payload using a\r\nsingle-byte XOR or RC4.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nMirrorFace side-loads LODEINFO by dropping a\r\nmalicious library and a legitimate executable\r\n(e.g., K7SysMon.exe).\r\nDiscovery\r\nT1082 System Information Discovery\r\nLODEINFO fingerprints the compromised\r\nmachine.\r\nT1083 File and Directory Discovery LODEINFO can obtain file and directory listings.\r\nT1057 Process Discovery LODEINFO can list running processes.\r\nT1033 System Owner/User Discovery LODEINFO can obtain the victim’s username.\r\nT1614.001\r\nSystem Location Discovery:\r\nSystem Language Discovery\r\nLODEINFO checks the system language to\r\nverify that it is not running on a machine set to\r\nuse the English language.\r\nCollection\r\nT1560.001\r\nArchive Collected Data: Archive\r\nvia Utility\r\nWe observed MirrorFace operators archiving\r\ncollected data using the RAR archiver.\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 11 of 12\n\nTactic ID Name Description\r\nT1114.001\r\nEmail Collection: Local Email\r\nCollection\r\nWe observed MirrorFace operators collecting\r\nstored email messages.\r\nT1056.001 Input Capture: Keylogging LODEINFO performs keylogging.\r\nT1113 Screen Capture LODEINFO can obtain a screenshot.\r\nT1005 Data from Local System\r\nWe observed MirrorFace operators collecting and\r\nexfiltrating data of interest.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nLODEINFO uses the HTTP protocol to\r\ncommunicate with its C\u0026C server.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nLODEINFO uses URL-safe base64 to encode its\r\nC\u0026C traffic.\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nLODEINFO uses AES-256-CBC to encrypt C\u0026C\r\ntraffic.\r\nT1001.001 Data Obfuscation: Junk Data\r\nSecond-stage LODEINFO C\u0026C prepends junk to\r\nsent data.\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nLODEINFO can exfiltrate files to the C\u0026C\r\nserver.\r\nT1071.002\r\nApplication Layer Protocol: File\r\nTransfer Protocols\r\nWe observed MirrorFace using Secure Copy\r\nProtocol (SCP) to exfiltrate collected data.\r\nImpact T1486 Data Encrypted for Impact\r\nLODEINFO can encrypt files on the victim’s\r\nmachine.\r\nSource: https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/" ], "report_names": [ "unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434885, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63ba45d66828aa10a70a8431f97126753b73a0fb.pdf", "text": "https://archive.orkl.eu/63ba45d66828aa10a70a8431f97126753b73a0fb.txt", "img": "https://archive.orkl.eu/63ba45d66828aa10a70a8431f97126753b73a0fb.jpg" } }