{ "id": "aa89c105-5379-44de-9c52-9109b8e88486", "created_at": "2026-04-06T00:12:44.108334Z", "updated_at": "2026-04-10T03:33:45.758377Z", "deleted_at": null, "sha1_hash": "7c26c59f0b82f3ab9361411c80f48c527b33ad21", "title": "Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6116280, "plain_text": "Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts\r\nPublished: 2025-03-12 · Archived: 2026-04-05 20:25:20 UTC\r\nIntroduction\r\nAbout Windows Sandbox\r\nWindows Enable Windows Sandbox\r\nDefault user\r\nWindows Defender settings\r\nConfiguration file (.wsb)\r\nVirtual Hard Disk (VHDX)\r\nThe attack methods\r\nEmerging threats\r\nMonitoring and Investigation for Windows Sandbox\r\nMonitoring\r\nMonitoring for host machine and network\r\nMonitoring Windows Sandbox execution\r\nVerification of processes in the sandbox that is deployed in the host machine's memory\r\nInvestigation methods\r\nHost machine investigation\r\nInvestigation for Windows Sandbox\r\nControl measures\r\nDon’t grant administrative privileges to users\r\nApply AppLocker policy\r\nConclusions\r\nAcknowledgements\r\nAppendix\r\nReferences\r\nTest environment\r\nThis post is also available in: 日本語\r\nIntroduction\r\nThe National Police Agency (NPA) and the National center of Incident readiness and Strategy for Cybersecurity (NISC)\r\nreleased a security advisory on January 8, 2025, regarding an APT attack campaign targeting organizations in Japan by\r\n\"MirrorFace.\" The advisory highlights that MirrorFace exploited Windows Sandbox and Visual Studio Code, providing\r\nguidance on how to identify and detect traces of these activities. This article focuses on Windows Sandbox, one of the attack\r\ntechniques used in this campaign. It provides detailed verification results, forensic artifacts, and key points useful for\r\nmonitoring and investigation.\r\nThis article is based on the presentation \"Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts,\" at\r\nJSAC2025 on January 22, 2025.\r\nReference\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 1 of 15\n\nHack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts\r\nLilimRAT has been observed being used by the APT group “MirrorFace” (which is a subgroup of APT10 umbrella).\r\nLilimRAT is a customized version of the open-source Lilith RAT. It includes a function to check for the existence of the\r\nWDAGUtilityAccount user folder, and if this folder is not present, it will terminate.\r\nFigure 1. LilimRAT code to check WDAGUtilityAccount user folder\r\nSince WDAGUtilityAccount is used as the default user within Windows Sandbox, it is likely that LilimRAT was specifically\r\ndesigned to run only within Windows Sandbox.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 2 of 15\n\nFigure 2. WDAGUtilityAccount user profile in Windows Sandbox\r\nBy default, Windows Sandbox is disabled. Therefore, after compromising a target machine, the attacker enables the\r\nWindows Sandbox feature. Since Windows Sandbox only becomes active after the host machine is restarted, the attacker\r\ncreates a WSB (Windows Sandbox configuration) file on the system and then reboots the host machine.\r\nAfter the reboot, Windows Sandbox is available, and the malware (in this case, LilimRAT) is executed within the sandbox\r\naccording to the WSB file's configuration, establishing communication with the C2 server.\r\nFigure 3. The process of abusing Windows Sandbox\r\nGiven the fact that Windows Sandbox is abused using this technique, we believe it’s essential to conduct thorough technical\r\nverification to understand its specifications, uncover abusing methods, and establish investigation and countermeasure\r\ntechniques.\r\nAbout Windows Sandbox\r\nWindows Sandbox is a virtual environment isolated from the host system, allowing users to safely test files and applications.\r\nIt’s like an additional OS running as software within the host OS. This feature is available on Windows 10 (Build 18342 and\r\nlater) and Windows 11. Below are some key specifications regarding Windows Sandbox.\r\nWindows Enable Windows Sandbox\r\nBy default, Windows Sandbox is disabled and must be enabled via the GUI or CLI before use.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 3 of 15\n\nFigure 4. Enabling Windows Sandbox settings on optional features (GUI)\r\nOnce Windows Sandbox is enabled, the sandbox environment becomes available for use as shown below.\r\nFigure 5. Windows Sandbox\r\nDefault user\r\nWindows Sandbox runs with WDAGUtilityAccount user. This user belongs to the Administrators group.\r\nC:\\Users\\WDAGUtilityAccount\u003enet user WDAGUtilityAccount\r\nUser name WDAGUtilityAccount\r\nFull Name\r\nComment Windows Defender Application Guard\r\nUser's comment\r\n~ Redacted ~\r\nLocal Group Memberships *Administrators *Remote Desktop Users *Users\r\nGlobal Group memberships *None\r\nWindows Defender settings\r\nWindows Defender is disabled by default within Windows Sandbox and cannot be enabled via either the GUI or PowerShell\r\ncommands.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 4 of 15\n\nFigure 6. Windows Defender settings\r\nConfiguration file (.wsb)\r\nA WSB file is an XML-based configuration file that defines the settings for Windows Sandbox. Below is an example of a\r\nWSB file.\r\n\u003cConfiguration\u003e\r\n \u003cNetworking\u003eEnable\u003c/Networking\u003e\r\n \u003cMappedFolders\u003e\r\n \u003cMappedFolder\u003e\r\n \u003cHostFolder\u003eC:\\Users\\Public\\Downloads\u003c/HostFolder\u003e\r\n \u003cSandboxFolder\u003eC:\\Users\\WDAGUtilityAccount\\Downloads\u003c/SandboxFolder\u003e\r\n \u003cReadOnly\u003efalse\u003c/ReadOnly\u003e\r\n \u003c/MappedFolder\u003e\r\n \u003c/MappedFolders\u003e\r\n \u003cLogonCommand\u003e\r\n \u003cCommand\u003eexplorer.exe\u003c/Command\u003e\r\n \u003c/LogonCommand\u003e\r\n \u003cMemoryInMB\u003e1024\u003c/MemoryInMB\u003e\r\n\u003c/Configuration\u003e\r\nIn this example, the following settings are configured:\r\nEnable network access\r\nShare the host machine's C:\\Users\\Public\\Downloads folder with the sandbox's\r\nC:\\Users\\WDAGUtilityAccount\\Downloads folder\r\nOpen File Explorer upon startup\r\nAllocate 1 GB of memory to the sandbox\r\nA WSB file offers many other customizable settings for Windows Sandbox. The sandbox starts with the configurations\r\ndefined in this file.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 5 of 15\n\nConfiguration\r\nitem\r\nDescription\r\nvGPU Enables or disables GPU sharing.\r\nNetworking Enables or disables networking in the sandbox.\r\nMapped folders\r\nAn array of folders, each representing a location on the host machine that is shared with the\r\nsandbox at the specified path.\r\nLogon command Specifies a single command that will be invoked automatically after the sandbox logs on.\r\nAudio input Shares the host's microphone input into the sandbox.\r\nVideo input Shares the host's webcam input into the sandbox.\r\nProtected client\r\nAdds a new layer of security boundary by running Sandbox inside an AppContainer Isolation\r\nexecution environment.\r\nPrinter redirection Enables or disables printer sharing from the host into the sandbox.\r\nClipboard\r\nredirection\r\nEnables or disables sharing of the host clipboard with the sandbox.\r\nMemory in MB Specifies the amount of memory that the sandbox can use in MB.\r\nVirtual Hard Disk (VHDX)\r\nWindows Sandbox is built using VHDX (Virtual Hard Disk) files and employs a differential backup mechanism. When the\r\nsandbox starts, a VHDX-related folder is created under C:\\ProgramData\\Microsoft\\Windows\\Containers . This folder\r\ncontains both the parent virtual disk and differential virtual disks, along with multiple subfolders. When the sandbox is\r\nclosed, the differential backups are deleted.\r\nFigure 7. VHDX chain on C:\\ProgramData\\Microsoft\\Windows\\Containers folder\r\nThe attack methods\r\nGiven the previously explained Windows Sandbox specifications, we will now detail the attack flow carried out by\r\nMirrorFace after Windows Sandbox has been enabled. The attacker places three files—a BAT file, an archiver, and an\r\narchive file—in any folder on the compromised host machine. Then, they enable Windows Sandbox, restart the system, and\r\nexecute the WSB file to initiate the attack.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 6 of 15\n\nFigure 8. The attack flow using Windows Sandbox\r\nBelow is an example of the WSB file used in the attack.\r\n\u003cConfiguration\u003e\r\n \u003cNetworking\u003eEnable\u003c/Networking\u003e\r\n \u003cMappedFolders\u003e\r\n \u003cMappedFolder\u003e\r\n \u003cHostFolder\u003eC:\\{Host-side folder}\u003c/HostFolder\u003e\r\n \u003cSandboxFolder\u003eC:\\{Sandbox-side folder}\u003c/SandboxFolder\u003e\r\n \u003cReadOnly\u003efalse\u003c/ReadOnly\u003e\r\n \u003c/MappedFolder\u003e\r\n \u003c/MappedFolders\u003e\r\n \u003cLogonCommand\u003e\r\n \u003cCommand\u003eC:\\{Sandbox-side folder}\\{random}.bat\u003c/Command\u003e\r\n \u003c/LogonCommand\u003e\r\n \u003cMemoryInMB\u003e1024\u003c/MemoryInMB\u003e\r\n\u003c/Configuration\u003e\r\nThis WSB file contains the following configurations:\r\nFolder sharing (shares a folder of the host machine with the Windows Sandbox)\r\nEnables network connection\r\nExecutes a BAT file upon startup\r\nAllocates 1 GB of RAM\r\nWhen the WSB file is executed, Windows Sandbox starts, and the BAT file runs automatically. The script written in the BAT\r\nfile is then executed within the sandbox. The BAT file contains commands to extract the archive file and execute the\r\nextracted malware. If successful, the attacker gains control over the sandbox environment on the compromised host via a C2\r\nserver. Below is an example of a BAT file used by the attacker. In this example, 7-Zip is used as the archiver, but this is just\r\none of the tools observed—other archiving tools have also been used in similar attacks.\r\n@echo off\r\nC:\\{Sandbox-side folder}\\7z.exe x C:\\{Sandbox-side folder}\\{Archive file} -oC:\\{Unarchived folder}\\ -p{Passwor\r\nschtasks /create /tn {taskname} /tr \"C:\\{Unarchived folder}\\{Malware}\" /sc hourly /st 08:30 /ru system /f\r\nschtasks /run /tn {taskname}\r\nWhen Windows Sandbox is executed, a window is displayed. However, if it is launched via Task Scheduler under a different\r\nuser account (e.g., SYSTEM privileges), it runs in the background without a window, making it extremely difficult to detect\r\nits activities. Additionally, malware executed within the sandbox communicates with the C2 server via the Tor network. The\r\nuse of the Tor network is likely intended to encrypt communications and conceal the C2 server. Since the malware in\r\nWindows Sandbox operates according to the WSB file’s configuration, it can access files on the host machine. However,\r\nbecause the files are accessed from the sandbox, any activity doesn’t get logged by monitoring tools running on the host\r\nsystem. Furthermore, various attack tools used within the sandbox remain undetected, as Windows Defender is not active in\r\nthis environment. This allows attackers to operate in an environment free from security products.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 7 of 15\n\nEmerging threats\r\nDuring our investigation into Windows Sandbox features and attacks abusing it, we identified significant functional updates.\r\nWhile Microsoft's official documentation only mentions this new feature as a preview, it does not provide detailed\r\ninformation about the update. However, as of the time of writing, we have confirmed that a version including this feature has\r\nalready been released.\r\nWindows Sandbox Client Preview] New! This update adds the Windows Sandbox Client Preview. It includes:\r\nRuntime clipboard redirection\r\nAudio and video input control\r\nThe sharing of folders with the host at runtime\r\nTo access these, select the ellipses (…) at the upper right on the app. This preview also includes a version of\r\ncommand-line support. (The commands might change over time). To learn more, use the wsb.exe–help command.\r\nYou can find new updates for this app in the Microsoft Store. This might not be available to all users because it\r\nwill roll out gradually.\r\nOctober 24, 2024—KB5044384 (OS Build 26100.2161) Preview\r\nThe changes to Windows Sandbox after the Windows 11 update are as follows: Addition of the wsb.exe command, enabling\r\nsandbox execution via the command line Background execution of the sandbox Ability to modify certain settings via the\r\nGUI\r\nFigure 9. Windows Sandbox configuration menu on the updated Windows 11\r\nAs shown in the example below, wsb.exe allows for starting Windows Sandbox, enumerating running instances, and\r\nconnecting to a sandbox session.\r\n\u003e wsb.exe start\r\nWindows Sandbox environment started successfully:\r\nId: 7f1397ca-3b46-416a-827a-a4a5b76e880e\r\n\u003e wsb.exe list\r\n7f1397ca-3b46-416a-827a-a4a5b76e880e\r\n\u003e wsb.exe connect --id 7f1397ca-3b46-416a-827a-a4a5b76e880e\r\nwsb.exe command options are as follows:\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 8 of 15\n\nCommands, alias Options Description\r\nStartSandbox, start\r\n--id\r\n-c, --config\r\nStarts an instance of Windows Sandbox.\r\nListRunningSandboxes,\r\nlist\r\n-\r\nLists the IDs of all running Windows Sandbox\r\nenvironments.\r\nExecute, Exec\r\n--id (REQUIRED)\r\n-c, --command (REQUIRED)\r\n-d, --working-directory \u003cworking-directory\u003e\r\n-r, --run-as \u003cExistingLogin|System\u003e\r\n(REQUIRED)\r\nExecutes a command in the running Windows\r\nSandbox environments.\r\nShareFolder, share\r\n--id (REQUIRED)\r\n-f, --host-path \u003chost-path\u003e\r\n(REQUIRED)\r\n-s, --sandbox-path \u003csandbox-path\u003e\r\n-w, --allow-write\r\nShares a folder from the host to the Windows\r\nSandbox session.\r\nStopSandbox, stop - Terminates a running Windows Sandbox.\r\nConnectToSandbox --id\r\nStarts a remote session for a Windows\r\nSandbox environment.\r\nGetIpAddress, ip --id (REQUIRED)\r\nGets the IP address of the Windows Sandbox\r\nenvironment.\r\nBelow is an example for the execution result of the wsb.exe start command.\r\n\u003e wsb.exe start -c \"\u003cConfiguration\u003e \u003cNetworking\u003eEnable\u003c/Networking\u003e\u003cMappedFolders\u003e\u003cMappedFolder\u003e\u003cHostFolder\u003eC\r\nWindows Sandbox environment started successfully:\r\nId: c2d290db-5986-4c06-bd7b-05f35f091fa4\r\nThese recent feature updates may make it more difficult to detect attacks leveraging Windows Sandbox. The key reasons for\r\nthis are as follows:\r\n1. Background execution of Windows Sandbox Previously, in Windows 10 and early versions of Windows 11, Windows\r\nSandbox always ran as a foreground GUI application. However, with the new wsb.exe start command, it can now run\r\nin the background. As a result, the sandbox can be launched without user awareness, and its window remains hidden\r\nuntil the wsb.exe connect command is executed.\r\n2. Sandbox execution without a WSB file The updated wsb.exe command allows sandbox configurations to be set via\r\ncommand-line arguments. Previously, WSB files were an important forensic artifact during investigations, but this\r\nchange increases the risk of leaving no trace of sandbox usage.\r\n3. Persistent data inside the sandbox In earlier versions, closing the Windows Sandbox window would terminate the\r\nprocess and delete all data within the environment. However, after the update, closing the window does not stop the\r\nsandbox, and its data remains intact. To delete data, the sandbox must be explicitly stopped using the wsb.exe stop\r\ncommand or terminated by shutting down the host machine. This change significantly increases the potential for\r\nlong-term attacker operations within the sandbox. Given these updates, security researchers must carefully verify\r\nwhether such feature changes improve convenience for attackers and implement appropriate countermeasures when\r\nnew functionalities are introduced.\r\nMonitoring and Investigation for Windows Sandbox\r\nWe have discussed the features of Windows Sandbox and the attack techniques that leverage it. Based on our verification,\r\nwe will now explain effective countermeasures against attacks that abuse Windows Sandbox.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 9 of 15\n\nMonitoring\r\nMonitoring for host machine and network\r\nMonitoring the host machine from the following perspectives can be useful for detecting compromises:\r\nMonitor client operation logs, sandbox processes, and memory\r\nTracking activities related to WSB files\r\nObserving event logs related to the sandbox\r\nAdditionally, Windows Sandbox utilizes the host machine's network adapter. As a result, if malware inside the sandbox\r\ncommunicates with a C2 server, the host machine's IP address will be used as the source IP address. This means standard\r\nnetwork monitoring can still be effective. However, if Tor is used, implementing a detection mechanism for Tor network\r\ntraffic will be necessary.\r\nMonitoring Windows Sandbox execution\r\nThe following are processes related to Windows Sandbox. By monitoring the execution of these processes on the host\r\nmachine, it’s possible to detect the startup of Windows Sandbox.\r\nProcess Names Paths De\r\nWindowsSandbox.exe C:\\Windows\\System32\\WindowsSandbox.exe\r\nWh\r\nexe\r\nWS\r\nand\r\nno\r\nsta\r\nWindowsSandboxClient.exe C:\\Windows\\system32\\WindowsSandboxClient.exe\r\nSa\r\nabo\r\ncmproxyd.exe C:\\Windows\\system32\\cmproxyd.exe\r\nSa\r\nabo\r\nWindowsSandboxServer.exe C:\\Program\r\nFiles\\WindowsApps\\MicrosoftWindows.WindowsSandbox_0.3.1.0_x64__cw5n1h2txyewy\r\nWh\r\nexe\r\nWS\r\nno\r\nexe\r\nand\r\ncom\r\nexe\r\nusi\r\nws\r\n(O\r\n0.3\r\nver\r\nWi\r\nbu\r\npre\r\nOn\r\niss\r\ncom\r\nusi\r\nws\r\n(Fo\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 10 of 15\n\nProcess Names Paths De\r\nWi\r\nbu\r\npre\r\nWindowsSandboxRemoteSession.exe\r\nC:\\Program\r\nFiles\\WindowsApps\\MicrosoftWindows.WindowsSandbox_0.3.1.0_x64__cw5n1h2txyewy\r\nSa\r\nabo\r\nwsb.exe C:\\Users{USERNAME}\\AppData\\Local\\Microsoft\\WindowsApps\\wsb.exe\r\nSa\r\nabo\r\nVerification of processes in the sandbox that is deployed in the host machine's memory\r\nWhen we ran Mimikatz inside the sandbox, we observed that, as shown in the figure below. The vmmemWindowsSandbox\r\nprocess on the host machine contained Mimikatz strings. Additionally, scanning the dumped vmmemWindowsSandbox\r\nprocess using Yara also detected the same Mimikatz strings. From this, we can conclude that sandbox processes are executed\r\nwithin the vmmemWindowsSandbox process. This suggests that memory scanning on the host machine's\r\nvmmemWindowsSandbox process can be used to detect malware or tools running inside the sandbox.\r\nFigure 10. Exposed part of Windows Sandbox memory on the host machine\r\nIt has also been found that the process name where the sandbox memory is allocated varies depending on the Windows\r\nversion. The differences are summarized in the table below.\r\nProcess name OS\r\nvmmem Windows 10\r\nvmmemWindowsSandbox Windows 11\r\nInvestigation methods\r\nHost machine investigation\r\nApart from the vmmemWindowsSandbox / vmmem process mentioned above, traces of Windows Sandbox activity are\r\nrarely recorded on the host machine. However, certain traces related to the sandbox's activation and startup may remain on\r\nthe host. Therefore, the following artifacts can be examined to identify potential indicators of sandbox activity.\r\nClassification Description\r\n$MFT Creations of WSB file, mount source folders and files, and VHDX files are recorded.\r\n$UsnJrnl\r\nThe creation of the WSB file, the creation of the mount source folder and file, and the creation of the\r\nVHDX file are recorded.\r\nPrefetch Loading of WSB and VDHX files may be recorded.\r\nRegistry The application associations are set .\r\n- HKLM\\SOFTWARE\\Classes\\Applications\\WindowsSandbox.exe\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 11 of 15\n\nClassification Description\r\n- HKLM\\SOFTWARE\\Classes\\Windows.Sandbox\\shell\\open\\command\r\n- HKLM\\SOFTWARE\\Microsoft\\Windows Sandbox\\Capabilities\\FileAssociations\r\nEventLog records the activities related to the sandbox on the host machine.\r\nFigure 11. EventLog and Event ID for Windows Sandbox\r\nInvestigation for Windows Sandbox\r\nWindows Sandbox is composed of VHDX files. Therefore, if the VHDX file is retrieved from the host machine while\r\npreserving the parent and differential virtual disk chain, it can be mounted to analyze the data within the sandbox. If any\r\nsandbox-related processes are detected, all folders associated with the VHDX file should be preserved as volatile data for\r\nfurther investigation.\r\nFigure 12. Mounted VHDX file and allocated drive\r\nWe mounted the VHDX file of the Windows Sandbox and examined artifacts that could be useful for forensic investigations.\r\nAs a result, while some artifacts were disabled or not logged, we found that many valuable artifacts remained, which can be\r\nhighly useful for forensic analysis.\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 12 of 15\n\nClassification Available Description\r\n$MFT Yes No operations on shared folders from the host were recorded.\r\n$UsnJrnl Yes No operations on shared folders from the host were recorded.\r\nPrefetch No Not recorded.\r\nRegistry Yes We were unable to confirm any Amcache updates during our test.\r\nBrowser\r\nHistory\r\nYes\r\nThe browsing history of the pre-installed Edge was confirmed.\r\nThe browsing history was also retained for browsers installed by the user.\r\nSRUM No Not recorded.\r\nEvtx Yes\r\nThe default log storage size is 20,480 KB, and some useful events (such as task\r\nschedules) are not recorded.\r\nWe observed logons such as successful logon (Event ID 4624), failed logon (Event ID\r\n4625), logon with explicit credentials (Event ID 4648), and service installation (Event\r\nID 7045).\r\nControl measures\r\nSince Windows Sandbox is disabled by default, it is recommended to keep it in a disabled state. However, in case it gets\r\nenabled, monitoring and detecting events related to its activation is highly recommended.\r\nDon’t grant administrative privileges to users\r\nEnabling Windows Sandbox requires administrator privileges. Therefore, if it is not needed for business purposes, restricting\r\nadministrator privileges for users can prevent unauthorized activation of the sandbox. Additionally, if Windows Sandbox is\r\nunintentionally enabled, monitoring the related event logs, as mentioned earlier, can help detect its activation.\r\nApply AppLocker policy\r\nAppLocker is a security feature in Windows OS that prevents users from running unauthorized applications. Even if\r\nWindows Sandbox is already enabled or a user has permission to enable it, AppLocker can be used to control its execution.\r\nReference\r\nAppLocker\r\nBy distributing a policy to the host machine that defines Windows Sandbox as an unauthorized application, it can block its\r\nexecution. Additionally, when AppLocker blocks Windows Sandbox, the execution result is recorded in the event log.\r\nFigure 13. Event ID of AppLocker\r\nConclusions\r\nIn this article, we have provided a detailed analysis of Windows Sandbox, which was abused by MirrorFace in 2024. Based\r\non our technical investigation, we explored its features, abusing techniques, forensic investigation methods, and defense\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 13 of 15\n\nstrategies. Since antivirus solutions and EDR on the host machine may not detect threats within the sandbox, proactive\r\nmeasures such as enhanced monitoring, thorough investigations, and effective management are essential to minimize risks.\r\nThreat actors often exploit blind spots and gaps beyond our expectations. It’s important to continue making efforts to predict\r\nthe unexpected and counter threats.\r\nAcknowledgements\r\nThis research is supported by the following organizations:\r\nNational Police Agency\r\nInformation-technology Promotion Agency (J-CRAT)\r\nESET, spol. s.r.o.\r\nReferences\r\nOperation AkaiRyū: MirrorFace invites Europe to EXPO 2025 and revives ANEL backdoor\r\nMirrorFaceによるサイバー攻撃について(注意喚起)\r\n別添資料【Windows Sandbox を悪用した手口及び痕跡・検知策】\r\nAppendix\r\nReferences\r\nWindows Sandbox\r\nWindows Sandbox architecture\r\nWindows Sandbox configuration\r\nOperation AkaiRyū: MirrorFace invites Europe to EXPO 2025 and revives ANEL backdoor\r\nSpot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10\r\nUmbrella\r\nMirrorFace Attack against Japanese Organisations\r\nUnmasking MirrorFace: Operation LiberalFace targeting Japanese political entities\r\nHow to configure Windows Sandbox\r\nPolicy CSP - WindowsSandbox\r\nWindows Sandbox: Analysis and Verification of Known Vulnerabilities\r\nPlaying in the (Windows) Sandbox\r\nOctober 24, 2024—KB5044384 (OS Build 26100.2161) Preview\r\nWindows news you can use: November 2024\r\nWindows Sandbox の紹介\r\nJapanese articles\r\nMirrorFaceによるサイバー攻撃について(注意喚起)\r\nMirrorFace によるサイバー攻撃について (注意喚起)\r\nWindows Sandboxを悪用した手口及び痕跡・検知策\r\nTest environment\r\nHost OS version Windows Sandbox version wsb version\r\nMicrosoft Windows 10 Enterprise 10.0.19045 Microsoft Windows 10 Enterprise 10.0.19041 N/A\r\nMicrosoft Windows 10 Enterprise 10.0.19045 Microsoft Windows 10 Enterprise 10.0.19045 N/A\r\nMicrosoft Windows 11 Pro 10.0.26100 Microsoft Windows 11 Enterprise 10.0.26100 0.3.1.0\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 14 of 15\n\nSource: https://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nhttps://blog-en.itochuci.co.jp/entry/2025/03/12/140000\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog-en.itochuci.co.jp/entry/2025/03/12/140000" ], "report_names": [ "140000" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434364, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c26c59f0b82f3ab9361411c80f48c527b33ad21.pdf", "text": "https://archive.orkl.eu/7c26c59f0b82f3ab9361411c80f48c527b33ad21.txt", "img": "https://archive.orkl.eu/7c26c59f0b82f3ab9361411c80f48c527b33ad21.jpg" } }