Guess Who’s Back - The Return of ANEL in the Recent Earth
Kasha Spear-phishing Campaign in 2024
By By: Hara Hiroaki Nov 26, 2024 Read time: 11 min (3056 words)
Published: 2024-11-26 · Archived: 2026-04-05 14:04:58 UTC
APT & Targeted Attacks
Trend Micro has identified a spear-phishing campaign active in Japan since June 2024. Evidence about the
malware used by this campaign suggests this was part of a new operation by Earth Kasha.
This blog is a part of a blog series about Earth Kasha. Kindly refer to our blog about the previous campaigns,
where we discussed the tactics and targets of Earth Kasha in detail, read here for a deeper understanding,
Introduction
According to research by Trend Micro, a new spear-phishing campaign targeting individuals and organizations in
Japan has been underway since around June 2024. An interesting aspect of this campaign is the comeback of a
backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not
been observed since then. Additionally, NOOPDOOR, known to be used by Earth Kasha, has been confirmed to
be used in the same campaign. Based on these findings, we assess this campaign as part of a new operation by
Earth Kasha.
Campaign Details
The campaign, observed around June 2024 and attributed to Earth Kasha, employed spear-phishing emails for
Initial Access. Specific targets include individuals affiliated with political organizations, research institutions,
think tanks, and organizations related to international relations. In 2023, Earth Kasha primarily attempted to
exploit vulnerabilities against edge devices for intrusionopen on a new tab but this new campaign reveals that they
have once again changed their TTPs. This shift appears to be driven by a target change, moving from enterprises
to individuals. Additionally, an analysis of the victim profiles and the names of the distributed lure files suggests
that the adversaries are particularly interested in topics related to Japan’s national security and international
relations.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 1 of 19

Figure 1. Brief timeline of Earth Kasha’s campaigns
The spear-phishing emails used in this campaign were sent either from free email accounts or from compromised
accounts. The emails contained a URL link to a OneDrive. They included a message in Japanese encouraging the
recipient to download a ZIP file. Here are some potential email subjects that were observed, likely crafted to
attract the interest of the targeted recipients:
取材申請書 (Interview Request Form)
米中の現状から考える日本の経済安全保障 (Japan's Economic Security in Light of Current US-China
Relations)
[官公庁・公的機関一覧] ([List of Government and Public Institutions])
The files in the ZIP file, which works as the infection vector, vary depending on the period and the target.
Case 1: Macro-Enabled Document
The simplest case involves a document with embedded macros. The infection begins when the document is
opened and the user enables the macros. This document file is a malicious dropper that we have named
ROAMINGMOUSE. As explained later, ROAMINGMOUSE can extract and execute embedded ANEL-related
components (a legitimate EXE, ANELLDR, and encrypted ANEL). Two patterns are observed in this process: one
involves dropping a ZIP file and then extracting it, while the other consists of directly dropping the components.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 2 of 19

Figure 2. Execution flow of Case 1
Case 2: Shortcut + SFX + Macro-Enabled Template Document
In other cases, the ZIP file did not directly contain ROAMINGMOUSE. Instead, it included a shortcut file and an
SFX (self-extracting) file disguised as a document by changing its icon and extension.
Figure 3. Execution flow of Case 2
When the shortcut file is opened, it executes the SFX file in the same directory disguised as a .docx file.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 3 of 19

Figure 4. Shortcut file to execute another file
The SFX file places two document files into the %APPDATA%\Microsoft\Templates folder. One of these files is a
harmless decoy document, while the other, named "normal_.dotm," contains a macro called ROAMINGMOUSE.
When the decoy document is opened, ROAMINGMOUSE is automatically loaded as a Word Template file. The
behavior of ROAMINGMOUSE after execution is identical to that observed in Case 1.
Case 3: Shortcut + CAB + Macro-Enabled Template Document
A similar case to Case 2 has also been observed, where the shortcut file executes PowerShell, which then drops an
embedded CAB file.
Figure 5. Execution flow of Case 3
The shortcut file contained a PowerShell one-liner in this case, as shown in the figure below. This script dropped
and extracted a CAB file embedded at a specific offset within the shortcut file and executed a decoy file. The
decoy file then automatically loaded ROAMINGMOUSE as a template file, following the same process as in Case
2.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 4 of 19

Figure 6. PowerShell oneliner in the shortcut file
Figure 7. CAB file embedded in the shortcut file
Malware on Initial Access
ROAMINGMOUSE
The macro-enabled document we created for initial access in this campaign is called "ROAMINGMOUSE." This
document acts as a dropper for components related to ANEL. The primary role of ROAMINGMOUSE is to
execute the subsequent ANEL payload while minimizing the chances of detection. To achieve this, it implements
various evasion techniques.
(Basic) Sandbox Evasion
The ROAMINGMOUSE variant introduced in Case 1 requires the user to enable macros. This variant includes a
feature that initiates malicious activity based on specific mouse movements made by the user. This functionality is
achieved by implementing a function that responds to the "MouseMove" event, triggered when the mouse hovers
over a user form embedded within the document.
Figure 8. Malicious routine will be triggered when moving a mouse properly.
This feature ensures that malicious activities do not begin unless specific user interactions occur, which is likely
implemented as a sandbox evasion technique. However, it should be noted that many commercial and open-source
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 5 of 19

sandboxes have addressed such sandbox evasion techniques in recent years, making them less effective.
Custom Base64-encoded Payloads
The classification of this as an evasion technique is up for debate; however, it is undeniably one of the distinctive
functions of ROAMINGMOUSE. This technique was employed in Pattern 1 of Case 1. ROAMINGMOUSE
embeds the ZIP file containing the ANEL-related components by encoding it in Base64 and splitting it into three
parts, with one part encoded using a custom Base64 encoding table. The files within the ZIP file are then extracted
to a specific path.
Figure 9. Partially custom Base64-encoded data embedded in ROAMINGMOUSE
This technique may slow down analysis, but it may also be an evasion technique against modern tools that
automatically decode Base64 embedded in VBA. Such tools have become more common recently, making this a
potential countermeasure.
HEX-encoded Payloads
In some instances, such as in Case 1 and PATTERN 2, we observed cases where the ANEL-related components
were directly dropped without being processed through a Base64-encoded ZIP file. Each component was
embedded in the VBA code as HEX-encoded strings in these cases.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 6 of 19

Figure 10. HEX-encoded payloads embedded in ROAMINGMOUSE
Execution Through WMI
The dropped files include the following ANEL-related components:
1. ScnCfg32.Exe: A legitimate application that loads the DLL in the same directory via DLL sideloading.
2. vsodscpl.dll: The ANELLDR loader.
3. <RANDOM>: The encrypted ANEL.
ROAMINGMOUSE executes ANEL by running the legitimate application "ScnCfg32.exe," which loads the
malicious DLL "vsodscpl.dll" through DLL sideloading. It uses WMI to execute "explorer.exe" with
"ScnCfg32.Exe" as an argument during this process.
Figure 11. Program execution through WMI
This approach aims to avoid detection by security products, which are more likely to flag processes like
"cmd.exe" when executed directly from a document file, such as a Word document. By bypassing "cmd.exe" and
running the program through WMI, they attempt to evade these detection mechanisms.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 7 of 19

ANELLDR
We have been tracking the unique loader used to execute ANEL in memory, which we have named ANELLDR.
ANELLDR has been observed as early as 2018. In terms of its functionality, the version used in this campaign is
identical to the one used in 2018. Beyond its core functionality, ANELLDR is known for using anti-analysis
techniques such as junk code insertion, Control Flow Flattening (CFF), and Mixed Boolean Arithmetic
(MBA)open on a new tab. The ANELLDR observed in this campaign also implemented the same techniques.
Figure 12. Repeatedly inserted junk codes
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 8 of 19

Figure 13. Obfuscated function by CFF
Figure 14. Simple XOR instruction converted into complex instructions by MBA.
Although there is some publicly available information about ANELLDR, a thorough description of its behavior
still needs to be provided. We will give a detailed explanation of the loader's functionality.
ANELLDR is activated via DLL sideloading from a legitimate application to begin its malicious activities. Once
executed, it enumerates files in the current directory to search for encrypted payload files. Notably, the decryption
logic of ANELLDR differs between the initial and subsequent executions.
During the initial execution, ANELLDR calculates the Adler-32 checksum for the last four bytes of the target file,
as well as the data up to file size minus 0x34 bytes (where 0x34 bytes accounts for the 0x30 bytes of AES material
and 0x4 bytes of checksum, explained later). It then compares the checksum to check whether the target file is the
expected encrypted file. If a directory exists at the same level, it recursively processes the files within that
directory.
Once the file passed verification, the decryption process begins. For this, the last 0x30 bytes of the file are divided
into two parts: the first 0x20 bytes are used as the AES key, while the remaining 0x10 bytes are used as the AES
IV. ANELLDR then decrypts the encrypted data (up to the file size minus 0x34 bytes) using AES-256-CBC and
executes the payload in memory.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 9 of 19

Figure 15. Execution flow of ANELLDR
Once ANELLDR successfully decrypts the encrypted payload, it updates the key and IV, re-encrypts the payload
using AES-256-CBC, and overwrites the original encrypted payload file with the newly encrypted data. The AES
key and IV used in this process are generated based on the file path of the executing file and a hardcoded string.
This involves utilizing a custom Base64 encoding, the Blowfish encryption algorithm, and XOR operations, which
ensures that the key and IV are unique to the running environment. Since the AES key and IV used for encryption
are not embedded in the file, you must know the exact file path where the payload was initially stored to decrypt
an encrypted payload file obtained from an infected environment.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 10 of 19

Figure 16. File structure of the re-encrypted payload blob
The 2nd-stage shellcode
The decrypted data is shellcode-formed and executed in memory. This 2nd-stage shellcode is responsible for
loading and executing the final payload, a DLL, in memory. First, the 2nd-stage shellcode attempts to evade being
debugged by calling ZwSetInformationThread API with the second argument set to ThreadHideFromDebugger
(0x11)open on a new tab. Next, it retrieves the address of the encrypted data. To do this, it calls a unique function
filled with NOP instructions to obtain the current address in memory. After obtaining this address, it calculates the
location of the encrypted payload-related data, which is located immediately after this function.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 11 of 19

Figure 17. Unique function filled with NOP instructions
The encrypted data section is structured in the following format:
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 12 of 19

Figure 18. Structure of the encrypted data section
ANELLDR decodes the subsequent encrypted data using a 16-byte XOR key. A distinctive feature of this process
is that each byte of the encrypted data is XORed with the entire 16-byte key. In other words, the algorithm applies
XOR to each data byte 16 times, using a different key byte for each operation.
Figure 19. Unique algorithm using XOR 16-times
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 13 of 19

After the XOR operation, the data is decompressed using the Lempel–Ziv–Oberhumer (LZO) data compression
algorithm. Additionally, the first 4 bytes and the Adler-32 checksum of the payload DLL are calculated and
compared to verify if the data has been correctly decoded and decompressed. If the integrity check passes, the
DLL is dynamically initialized in memory, and the hardcoded export function is called to execute the payload.
ANEL
ANEL is a 32-bit HTTP-based backdoor that has been observed since around 2017 and was known as one of the
primary backdoors used by APT10 until around 2018. ANEL was actively developed during that time, and the last
version publicly observed in 2018 was “5.5.0 rev1.” However, through this new campaign in 2024, versions “5.5.4
rev1,” “5.5.5 rev1,” “5.5.6 rev1,” and “5.5.7 rev1” have been observed, along with a newly identified version
where the version information has been obfuscated.
5.5.0 rev1 5.5.4 rev1 5.5.5 rev1 5.5.6 rev1 5.5.7 rev1 unknown
C&C Comm
Encryption (GET)
Custom ChaCha20 + random-byte XOR + Base64
C&C Comm
Encryption (POST)
Custom ChaCha20 + LZO
ChaCha20 Key
Generation
Selected from the hardcoded key based on the C&C URL
Backdoor
Command
0x97A168D9697D40DD
(download)
0x7CF812296CCC68D5 (upload)
0x652CB1CEFF1C0A00 (in-memory PE exec)
0x27595F1F74B55278
(download and exec)
0xD290626C85FB1CE3 (sleep)
0x409C7A89CFF0A727 (get
screenshot)
Else: execute command
0x97A168D9697D40DD
(download)
0x7CF812296CCC68D5 (upload)
0x652CB1CEFF1C0A00 (in-memory PE exec)
0x27595F1F74B55278
(download and exec)
0xD290626C85FB1CE3 (sleep)
0x409C7A89CFF0A727 (get
screenshot)
0x596813980E83DAE6 (UAC
bypass)
Else: execute command
From here, we'll take a closer look at the specific updates and changes in each version.
5.5.4 rev1
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 14 of 19

This version of ANEL did not introduce any major changes, but a few minor fixes and updates were implemented.
One notable change was the removal of the feature that stored an error code in the HTTP Cookie header and sent it
to the C&C server, which had been present up to version “5.5.0 rev1.” This feature was previously identified as a
detection point for ANEL, so its removal might have been intended to evade detection. Another update involved
the version information sent to the C&C server. It now includes information about the OS architecture of the
execution environment. Although ANEL is a 32-bit application, when running on a 64-bit OS, the string “wow64”
is appended to the version information before being sent to the C&C server.
Figure 20. OS architecture included
5.5.5 rev1
Version “5.5.5 rev1” did not include significant changes either. One notable update was the addition of code to
renew the local IP address during the initial access to the C&C server.
Figure 21. Renew the local IP address by Windows API.
5.5.6 rev1 / 5.5.7 rev1
In version “5.5.6 rev1,” a new backdoor command was added. ANEL processes the command string received from
the C&C server by converting it to uppercase and hashing it with xxHash, then comparing it to a hardcoded hash
value to determine the command. In this version, a new command corresponding to the hash value
“0x596813980E83DAE6” was implemented.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 15 of 19

Figure 22. New backdoor command introduced in 5.5.6 rev1
This command provides the functionality to execute a specified program with elevated privileges (Integrity High)
by abusing the CMSTPLUA COM interface, a known UAC bypass technique.
Figure 23. Abusing CMSTPLUA COM interface
On the other hand, in “5.5.7 rev1”, no additional notable functionality was observed.
Unknown version
After observing version “5.5.7 rev1,” an ANEL variant was detected with obfuscated version information. In this
instance, the version information field contained a Base64-encoded string, which resulted in the data “A1 5E 99
00 E7 DE 2B F5 AD A1 E8 D1 55 D5 0A 22” after decoding. This data was concatenated with “wow64” and sent
to the C&C server. This change has made it more difficult to track versions and compare functionality.
Figure 24. Encrypted version information
Post-Exploitation Activities
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 16 of 19

Tracking the adversary’s activities after installing ANEL revealed that they collected information from the infected
environment, such as taking screenshots and executing commands like arp and dir to gather network and file
system details. In some cases, additional malware, specifically NOOPDOOR, was also installed.
NOOPDOOR, observed since at least 2021, is a modular backdoor with more advanced capabilities. It appears to
work as a further payload Earth Kasha uses, particularly for high-value targets. In this campaign, we believe
NOOPDOOR was deployed against targets of special interest to the adversary.
Attribution and Insights
Based on the analysis of the ongoing campaign, Trend Micro assesses that the spear-phishing campaign using
ANEL, observed since June 2024, is part of a new operation conducted by Earth Kasha.
Figure 25. Diamond Model of the new campaign in 2024
The attribution to Earth Kasha is based on the following reasons:
Until early 2023, Earth Kasha had been conducting campaigns targeting individuals and organizations in
Japan via spear-phishing emails as the primary intrusion vector. There are no significant inconsistencies in
terms of TTPs or victim profiles.
NOOPDOOR, believed to be used exclusively by Earth Kasha, was also deployed in this campaign.
As previously mentioned, there are code similarities between ANELLDR and NOOPDOOR, suggesting the
involvement of the same developer or someone with access to both source codes. Therefore, the reuse of
ANEL in this campaign is unsurprising and further supports the connection between the former APT10 and
the current Earth Kasha.
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 17 of 19

Trend Micro Vision One Threat Intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat
Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they
happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their
malicious activities, and the techniques they use. By leveraging this intelligence, customers can proactively
protect their environments, mitigate risks, and respond effectively to threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
Guess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by Earth Kasha in 2024
Trend Micro Vision One Threat Insights App
Threat Actors: Earth Kasha
Emerging Threats: Guess Who’s Back? The Return of ANEL in the Recent Spear-phishing Campaign by
Earth Kasha in 2024
Hunting Queries
Trend Micro Vision One Search App
Trend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in
this blog post with data in their environment.   
Malware detection associated with the spear-phishing campaign by Earth Kasha
(malName:*ANEL* OR malName:*ROAMINGMOUSE*) AND eventName: MALWARE_DETECTION
Malicious IPs used by ANEL in spear-phishing campaign 2024
eventId:3 AND (dst:"139.84.131.62" OR dst:"139.84.136.105" OR dst:"45.32.116.146" OR dst:"45.77.252.85"
OR dst:"208.85.18.4" OR src:"139.84.131.62" OR src:"139.84.136.105" OR src:"45.32.116.146" OR
src:"45.77.252.85" OR src:"208.85.18.4")
More hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.
YARA rule
This YARA rule may be used to find Earth Kasha activity.
Conclusion
Earth Kasha's campaigns are expected to continue evolving, with updates to their tools and TTPs. Many of the
targets are individuals, such as researchers, who may have different levels of security measures in place compared
to enterprise organizations, making these attacks more difficult to detect. It is essential to maintain basic
countermeasures, such as avoiding opening files attached to suspicious emails. Additionally, it is important to
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 18 of 19

gather threat intelligence and ensure that relevant parties are informed. As this campaign is believed to be ongoing
as of October 2024, continued vigilance is necessary.
Indicators of Compromise
The full list of IoCs may be found here.
Tags
Source: https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html
Page 19 of 19

https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html   
Figure 17. Unique function filled with NOP instructions 
The encrypted data section is structured in the following format:
   Page 12 of 19