{ "id": "bcd0789b-c3ea-465a-9122-8ed2540c0f98", "created_at": "2026-04-06T00:17:07.324846Z", "updated_at": "2026-04-10T03:36:33.981273Z", "deleted_at": null, "sha1_hash": "d8e462c7701b519d88b071e9424999e5ca35a784", "title": "Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 641392, "plain_text": "Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and\r\nrevives ANEL backdoor\r\nBy Dominik Breitenbacher\r\nArchived: 2026-04-05 14:00:04 UTC\r\nIn August 2024, ESET researchers detected cyberespionage activity carried out by the China-aligned MirrorFace\r\nadvanced persistent threat (APT) group against a Central European diplomatic institute in relation to Expo 2025,\r\nwhich will be held in Osaka, Japan.\r\nKnown primarily for its cyberespionage activities against organizations in Japan, to the best of our knowledge,\r\nthis is the first time MirrorFace intended to infiltrate a European entity. The campaign, which we uncovered in Q2\r\nand Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon), showcases refreshed tactics,\r\ntechniques, and procedures (TTPs) that we observed throughout 2024: the introduction of new tools (such as a\r\ncustomized AsyncRAT), the resurrection of ANEL, and a complex execution chain.\r\nIn this blogpost, we present details of the Operation AkaiRyū attacks and findings from our investigation of the\r\ndiplomatic institute case, including data from our forensic analysis. ESET Research presented the results of this\r\nanalysis at the Joint Security Analyst Conference (JSAC) in January 2025.\r\nKey points of this blogpost:\r\nMirrorFace has refreshed its TTPs and tooling.\r\nMirrorFace has started using ANEL, a backdoor previously associated exclusively with APT10.\r\nMirrorFace has started deploying a heavily customized variant of AsyncRAT, using a complex\r\nexecution chain to run it inside Windows Sandbox.\r\nTo our knowledge, MirrorFace targeted a European entity for the first time.\r\nWe collaborated with the affected Central European diplomatic institute and performed a\r\nforensic investigation.\r\nThe findings obtained during that investigation have provided us with better insight into\r\nMirrorFace’s post-compromise activities.\r\nMirrorFace profile\r\nMirrorFace, also known as Earth Kasha, is a China-aligned threat actor until now almost exclusively targeting\r\ncompanies and organizations in Japan but also some located elsewhere that have relationships with Japan. As\r\nexplained in this blogpost, we now consider MirrorFace to be a subgroup under the APT10 umbrella. MirrorFace\r\nhas been active since at least 2019 and has been reported to target media, defense-related companies, think tanks,\r\ndiplomatic organizations, financial institutions, academic institutions, and manufacturers. In 2022, we discovered\r\na MirrorFace spearphishing campaign targeting Japanese political entities.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 1 of 20\n\nMirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the\r\nLODEINFO and HiddenFace backdoors. In the 2024 activities analyzed in this blogpost, MirrorFace started using\r\nAPT10’s former signature backdoor, ANEL, in its operations as well.\r\nOverview\r\nMuch like previous MirrorFace attacks, Operation AkaiRyū began with carefully crafted spearphishing emails\r\ndesigned to entice recipients to open malicious attachments. Our findings suggest that despite this group’s foray\r\nbeyond the borders of its usual hunting ground, the threat actor still maintains a strong focus on Japan and events\r\ntied to the country. However, this is not the first time MirrorFace has been reported to operate outside of Japan:\r\nTrend Micro and the Vietnamese National Cyber Security Center (document in Vietnamese) reported on such\r\ncases in Taiwan, India, and Vietnam.\r\nANEL’s comeback\r\nDuring our analysis of Operation AkaiRyū, we discovered that MirrorFace has significantly refreshed its TTPs and\r\ntooling. MirrorFace started using ANEL (also referred to as UPPERCUT) – a backdoor considered exclusive to\r\nAPT10 – which is surprising, as it was believed that ANEL was abandoned around the end of 2018 or the start of\r\n2019 and that LODEINFO succeeded it, appearing later in 2019. The small difference in version numbers between\r\n2018 and 2024 ANELs, 5.5.0 and 5.5.4, and the fact that APT10 used to update ANEL every few months, strongly\r\nsuggest that the development of ANEL has restarted.\r\nThe use of ANEL also provides further evidence in the ongoing debate about the potential connection between\r\nMirrorFace and APT10. The fact that MirrorFace has started using ANEL, and the other previously known\r\ninformation, such as similar targeting and malware code similarities, led us to make a change in our attribution:\r\nwe now believe that MirrorFace is a subgroup under the APT10 umbrella. This attribution change aligns our\r\nthinking with other researchers who already consider MirrorFace to be a part of APT10, such as those at Macnica\r\n(report in Japanese), Kaspersky, ITOCHU Cyber \u0026 Intelligence Inc., and Cybereason. Others, as at Trend Micro,\r\nas of now still consider MirrorFace to be only potentially related to APT10.\r\nFirst use of AsyncRAT and Visual Studio Code by MirrorFace\r\nIn 2024, MirrorFace also deployed a heavily customized variant of AsyncRAT, embedding this malware into a\r\nnewly observed, intricate execution chain that runs the RAT inside Windows Sandbox. This method effectively\r\nobscures the malicious activities from security controls and hamstrings efforts to detect the compromise.\r\nIn parallel to the malware, MirrorFace also started deploying Visual Studio Code (VS Code) to abuse its remote\r\ntunnels feature. Remote tunnels enable MirrorFace to establish stealthy access to the compromised machine,\r\nexecute arbitrary code, and deliver other tools. MirrorFace is not the only APT group abusing VS Code: Tropic\r\nTrooper and Mustang Panda have also been reported using it in their attacks.\r\nAdditionally, MirrorFace continued to employ its current flagship backdoor, HiddenFace, further bolstering\r\npersistence on compromised machines. While ANEL is used by MirrorFace as the first-line backdoor, right after\r\nthe target has been compromised, HiddenFace is deployed in the later stages of the attack. It is also worth noting\r\nthat in 2024 we didn’t observe any use of LODEINFO, another backdoor used exclusively by MirrorFace.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 2 of 20\n\nForensic analysis of the compromise\r\nWe contacted the affected institute to inform them about the attack and to clean up the compromise as soon as\r\npossible. The institute collaborated closely with us during and after the attack, and additionally provided us with\r\nthe disk images from the compromised machines. This enabled us to perform forensic analyses on those images\r\nand uncover further MirrorFace activity.\r\nESET Research provided more technical details about ANEL’s return to ESET Threat Intelligence customers on\r\nSeptember 4th, 2024. Trend Micro published their findings on then-recent MirrorFace activities on October 21st,\r\n2024 in Japanese and on November 26th, 2024 in English: these overlap with Operation AkaiRyū and also\r\nmention the return of the ANEL backdoor. Furthermore, in January 2025, the Japanese National Police Agency\r\n(NPA) published a warning about MirrorFace activities to organizations, businesses, and individuals in Japan.\r\nOperation AkaiRyū corresponds with Campaign C, as mentioned in the Japanese version of NPA’s warning.\r\nHowever, NPA mentions the targeting of Japanese entities exclusively – individuals and organizations mainly\r\nrelated to academia, think tanks, politics, and the media.\r\nIn addition to Trend Micro’s report and NPA’s warning, we provide an exclusive analysis of MirrorFace post-compromise activities, which we were able to observe thanks to the close cooperation of the affected organization.\r\nThis includes the deployment of a heavily customized AsyncRAT, abuse of VS Code remote tunnels, and details\r\non the execution chain that runs malware inside Windows Sandbox to avoid detection and hide the performed\r\nactions.\r\nIn this blogpost, we cover two distinct cases: a Central European diplomatic institute and a Japanese research\r\ninstitute. Even though MirrorFace’s overall approach is the same in both cases, there are notable differences in the\r\ninitial access process; hence we describe them both.\r\nTechnical analysis\r\nBetween June and September 2024, we observed MirrorFace conducting multiple spearphishing campaigns.\r\nBased on our data, the attackers primarily gained initial access by tricking targets into opening malicious\r\nattachments or links, then they leveraged legitimate applications and tools to stealthily install their malware.\r\nInitial access\r\nWe weren’t able to determine the initial attack vector for all the cases observed in 2024. However, based on the\r\ndata available to us, we assume that spearphishing was the only attack vector used by MirrorFace. The group\r\nimpersonates trusted organizations or individuals to convince recipients to open documents or click links. The\r\nfollowing findings on initial access align with those in the Trend Micro article, although they are not entirely the\r\nsame.\r\nSpecifically, in Operation AkaiRyū, MirrorFace abused both McAfee-developed applications and also one\r\ndeveloped by JustSystems to run ANEL. While Trend Micro reported Windows Management Instrumentation\r\n(WMI) and explorer.exe as the execution proxy pair for ANEL, we unearthed another pair: WMI and wlrmdr.exe\r\n(Windows logon reminder). We also provide an email conversation between a disguised MirrorFace operator and a\r\ntarget.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 3 of 20\n\nCase 1: Japanese research institute\r\nOn June 20th, 2024, MirrorFace targeted two employees of a Japanese research institute, using a malicious,\r\npassword-protected Word document delivered in an unknown manner.\r\nThe documents triggered VBA code on a simple mouseover event – the malicious code was triggered by moving\r\nthe mouse over text boxes placed in the document. It then abused a signed McAfee executable to load ANEL\r\n(version 5.5.4) into memory. The compromise chain is depicted in Figure 1.\r\nFigure 1. Compromise chain observed in June 2024\r\nCase 2: Central European diplomatic institute\r\nOn August 26th, 2024, MirrorFace targeted a Central European diplomatic institute. To our knowledge, this is the\r\nfirst, and, to date, only time MirrorFace has targeted an entity in Europe.\r\nMirrorFace operators set up their spearphishing attack by crafting an email message (shown in Figure 2) that\r\nreferences a previous, legitimate interaction between the institute and a Japanese NGO. The legitimate interaction\r\nwas probably obtained from a previous campaign. As can be seen, this spearphishing set up message refers to the\r\nupcoming Expo 2025 exhibition, an event that will be held in Japan.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 4 of 20\n\nFigure 2. The first email sent to the target\r\nThis first email was harmless, but once the target responded, MirrorFace operators sent an email message with a\r\nmalicious OneDrive link leading to a ZIP archive with a LNK file disguised as a Word document named The\r\nEXPO Exhibition in Japan in 2025.docx.lnk. This second message is shown in Figure 3. Using this approach,\r\nMirrorFace concealed the payload until the target was engaged in the spearphishing scheme.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 5 of 20\n\nFigure 3. Second email sent by MirrorFace, containing a link to a malicious ZIP archive hosted on\r\nOneDrive\r\nOnce opened, the LNK file launches a complex compromise chain, depicted in Figure 4 and Figure 5.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 6 of 20\n\nFigure 4 . First part of the compromise chain\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 7 of 20\n\nFigure 5. Second part of the compromise chain\r\nThe LNK file runs cmd.exe with a set of PowerShell commands to drop additional files, including a malicious\r\nWord file, tmp.docx, which loads a malicious Word template, normal_.dotm, containing VBA code. The contents\r\nof the Word document tmp.docx are depicted in Figure 6, and probably are intended to act as a decoy, while\r\nmalicious actions are running in the background.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 8 of 20\n\nFigure 6. Contents of the deceptive tmp.docx document shown to the target\r\nThe VBA code extracts a legitimately signed application from JustSystems Corporation to side-load and decrypt\r\nthe ANEL backdoor (version 5.5.5). This gave MirrorFace a foothold to begin post-compromise operations.\r\nToolset\r\nIn Operation AkaiRyū, MirrorFace relied not only on its custom malware, but also on various tools and a\r\ncustomized variant of a publicly available remote access trojan (RAT).\r\nANEL\r\nANEL (also known as UPPERCUT) is a backdoor that was previously associated exclusively with APT10. In\r\n2024, MirrorFace started using ANEL as its first-line backdoor. ANEL’s development, until 2018, was described\r\nmost recently in Secureworks’ JSAC 2019 presentation. The ANEL variants observed in 2024 were publicly\r\ndescribed by Trend Micro.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 9 of 20\n\nANEL is a backdoor, only found on disk in an encrypted form, and whose decrypted DLL form is only ever found\r\nin memory once a loader has decrypted it in preparation for execution. ANEL communicates with its C\u0026C server\r\nover HTTP, where the transmitted data is encrypted to protect it in case the communication is being captured.\r\nANEL supports basic commands for file manipulation, payload execution, and taking a screenshot.\r\nANELLDR\r\nANELLDR is a loader exclusively used to decrypt the ANEL backdoor and run it in memory. Trend Micro\r\ndescribed ANELLDR in their article.\r\nHiddenFace\r\nHiddenFace is MirrorFace’s current flagship backdoor, with a heavy focus on modularity; we described it in detail\r\nin this JSAC 2024 presentation.\r\nFaceXInjector\r\nFaceXInjector is a C# injection tool stored in an XML file, compiled and executed by the Microsoft MSBuild\r\nutility, and used to exclusively execute HiddenFace. We described FaceXInjector in the same JSAC 2024\r\npresentation dedicated to HiddenFace.\r\nAsyncRAT\r\nAsyncRAT is a RAT publicly available on GitHub. In 2024, we detected that MirrorFace started using a heavily\r\ncustomized AsyncRAT in the later stages of its attacks. The group ensures AsyncRAT’s persistence by registering\r\na scheduled task that executes at machine startup; once triggered, a complex chain (depicted in Figure 7) launches\r\nAsyncRAT inside Windows Sandbox, which must be manually enabled and requires a reboot. We were unable to\r\ndetermine how MirrorFace enables this feature.\r\nFigure 7. AsyncRAT execution chain\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 10 of 20\n\nThe following files are delivered to the compromised machine in order to successfully execute AsyncRAT:\r\n7z.exe – legitimate 7-Zip executable.\r\n7z.dll – legitimate 7-Zip library.\r\n\u003crandom\u003e.7z – password-protected 7z archive containing AsyncRAT, named setup.exe.\r\n\u003crandom\u003e.bat – batch script that unpacks AsyncRAT and runs it.\r\n\u003crandom\u003e.wsb – Windows Sandbox configuration file to run \u003crandom\u003e.bat.\r\nThe triggered scheduled task executes Windows Sandbox with \u003crandom\u003e.wsb as a parameter. This file contains\r\nconfiguration data for the sandbox; see Figure 8.\r\nFigure 8. Contents of a Windows Sandbox config file used by MirrorFace\r\nIn particular, the config file defines whether to enable networking and directory mapping, the dedicated memory\r\nsize, and the command to execute on launch. In the file shown in Figure 8, a batch file located in the sandbox\r\nfolder is executed. The batch file extracts AsyncRAT from the 7z archive, then creates and launches a scheduled\r\ntask that executes AsyncRAT every hour.\r\nThe AsyncRAT variant used by MirrorFace is heavily customized. The following are the main features and\r\nchanges introduced by MirrorFace:\r\nSample tagging – AsyncRAT can be compiled for a specific victim and MirrorFace can add a tag to the\r\nconfiguration to mark the sample. If the tag is not specified, the machine’s NetBIOS name is used as the\r\ntag. This tag is further used in other introduced features as well.\r\nConnection to a C\u0026C server via Tor – MirrorFace’s AsyncRAT can download and start a Tor client, and\r\nproxy its communication with a C\u0026C server through the client. AsyncRAT selects this option only if the\r\nhardcoded C\u0026C domains end with .onion. This approach was selected in both samples we observed during\r\nthe investigation of Case 2: Central European diplomatic institute.\r\nDomain generation algorithm (DGA) – An alternative to using Tor, this variant can use a DGA to\r\ngenerate a C\u0026C domain. The DGA can also generate machine-specific domains using the aforementioned\r\ntag. Note that HiddenFace also uses a DGA with the possibility of generating machine-specific domains,\r\nalthough the DGA used in HiddenFace differs from the AsyncRAT one.\r\nWorking time – Before connecting to a C\u0026C server, AsyncRAT checks whether the current hour and day\r\nof the week are within operating hours and days defined in the configuration. Note that MirrorFace’s\r\nAsyncRAT shares this feature with HiddenFace as well.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 11 of 20\n\nVisual Studio Code remote tunnels\r\nVisual Studio Code is a free source-code editor developed by Microsoft. Visual Studio Code’s remote\r\ndevelopment feature, remote tunnels, allows developers to run Visual Studio Code locally and connect to a\r\ndevelopment machine that hosts the source code and debugging environment. Threat actors can misuse this to gain\r\nremote access, execute code, and deliver tools to a compromised machine. MirrorFace has been doing so since\r\n2024; however, it is not the only APT group that has used such remote tunnels: other China-aligned APT groups\r\nsuch as Tropic Trooper and Mustang Panda have also used them in their attacks.\r\nPost-compromise activities\r\nOur investigation into Case 2: Central European diplomatic institute uncovered some of MirrorFace’s post-compromise activities. Through close collaboration with the institute, we gained better insight into the malware\r\nand tools deployed by MirrorFace, as seen in Table 1.\r\nNote that the malware and tools are ordered in the table for easier comparison of what was deployed on each of\r\nthe two identified compromised machines but doesn’t reflect how they were deployed chronologically.\r\nTable 1. Malware and tools deployed by MirrorFace throughout the attack\r\nTools Notes Machine A Machine B\r\nANEL\r\nAPT10’s backdoor that MirrorFace uses as a first-line\r\nbackdoor.\r\n● ●\r\nPuTTY\r\nAn open-source terminal emulator, serial console, and\r\nnetwork file transfer application.\r\n● ●\r\nVS Code A code editor developed by Microsoft. ● ●\r\nHiddenFace MirrorFace’s flagship backdoor. ● ●\r\nSecond\r\nHiddenFace\r\nvariant\r\nMirrorFace’s flagship backdoor. ●  \r\nAsyncRAT RAT publicly available on GitHub. ● ●\r\nHidden Start\r\nA tool that can be used to bypass UAC, hide Windows\r\nconsoles, and run programs in the background.\r\n●  \r\ncsvde\r\nLegitimate Microsoft tool available on Windows servers\r\nthat imports and exports data from Active Directory\r\nDomain Services (AD DS).\r\n  ●\r\nRubeus\r\nToolset for Kerberos interaction and abuse, publicly\r\navailable on GitHub.\r\n  ●\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 12 of 20\n\nTools Notes Machine A Machine B\r\nfrp Fast reverse proxy publicly available on GitHub.   ●\r\nUnknown tool\r\nDisguised under the name oneuu.exe. We were unable to\r\nrecover the tool during our analysis.\r\n  ●\r\nThe group selectively deployed post-compromise tools according to its objectives and the target’s environment.\r\nMachine A belonged to a project coordinator and Machine B to an IT employee. The data available to us suggests\r\nthat MirrorFace stole personal data from Machine A and sought deeper network access on Machine B, aligning the\r\nassumed objectives with the employees’ roles.\r\nDay 0 – August 27th, 2024\r\nMirrorFace operators sent an email with a malicious link on August 26th, 2024 to the institute’s CEO. However,\r\nsince the CEO didn’t have access to a machine running Windows, the CEO forwarded the email to two other\r\nemployees. Both opened the harmful LNK file, The EXPO Exhibition in Japan in 2025.docx.lnk, the next day,\r\ncompromising two institute machines and leading to the deployment of ANEL. Thus, we consider August 27th,\r\n2024, as Day 0 of the compromise. No additional activity was observed beyond this foothold establishment.\r\nDay 1 – August 28th, 2024\r\nThe next day, MirrorFace returned and continued with its activities. The group deployed several tools for access,\r\ncontrol, and file delivery on both compromised machines. Among the tools deployed were PuTTY, VS Code, and\r\nHiddenFace – MirrorFace’s current flagship backdoor. On Machine A, MirrorFace also attempted to deploy the\r\ntool Hidden Start. On Machine B, the actor additionally deployed csvde and the customized variant of AsyncRAT.\r\nDay 2 – August 29th, 2024\r\nOn Day 2, MirrorFace was active on both machines. This included deploying more tools. On Machine A,\r\nMirrorFace deployed a second instance of HiddenFace. On Machine B, VS Code’s remote tunnel, HiddenFace,\r\nand AsyncRAT were executed. Besides these, MirrorFace also deployed and executed frp and Rubeus via\r\nHiddenFace. This is the last day on which we observed any MirrorFace activity on Machine B.\r\nDay 3 – August 30th, 2024\r\nMirrorFace remained active only on Machine A. The institute, having started attack mitigation measures on\r\nAugust 29th, 2024, might have prevented further MirrorFace activity on Machine B. On Machine A, the group\r\ndeployed AsyncRAT and tried to maintain persistence by registering a scheduled task.\r\nDay 6 – September 2nd, 2024\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 13 of 20\n\nOver the weekend, i.e., on August 31st\r\n and September 1st, 2024, Machine A was inactive. On Monday, September\r\n2\r\nnd\r\n, 2024, Machine A was booted and with it MirrorFace’s activity resumed as well. The main event of Day 6 was\r\nthat the group exported Google Chrome’s web data such as contact information, keywords, autofill data, and\r\nstored credit card information into a SQLite database file. We were unable to determine how MirrorFace exported\r\nthe data, and whether or how the data was exfiltrated.\r\nConclusion\r\nIn 2024, MirrorFace refreshed its TTPs and tooling. It started using ANEL – believed to have been abandoned\r\naround 2018/2019 – as its first-line backdoor. Combined with other information, we conclude that MirrorFace is a\r\nsubgroup under the APT10 umbrella. Besides ANEL, MirrorFace has also started using other tools such as a\r\nheavily customized AsyncRAT, Windows Sandbox, and VS Code remote tunnels.\r\nAs a part of Operation AkaiRyū, MirrorFace targeted a Central European diplomatic institute – to the best of our\r\nknowledge, this is the first time the group has attacked an entity in Europe – using the same refreshed TTPs seen\r\nacross its 2024 campaigns. During this attack, the threat actor used the upcoming World Expo 2025 – to be held in\r\nOsaka, Japan – as a lure. This shows that even considering this new broader geographic targeting, MirrorFace\r\nremains focused on Japan and events related to it.\r\nOur close collaboration with the affected organization provided a rare, in-depth view of post-compromise\r\nactivities that would have otherwise gone unseen. However, there are still a lot of missing pieces of the puzzle to\r\ndraw a complete picture of the activities. One of the reasons is MirrorFace’s improved operational security, which\r\nhas become more thorough and hinders incident investigations by deleting the delivered tools and files, clearing\r\nWindows event logs, and running malware in Windows Sandbox.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n018944FC47EE2329B23B\r\n74DA31B19E57373FF539\r\n3b3cabc5 Win32/MirrorFace.A\r\nAES-encrypted\r\nANEL.\r\n68B72DA59467B1BB477D\r\n0C1C5107CEE8D9078E7E\r\nvsodscpl.dll Win32/MirrorFace.A ANELLDR.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 14 of 20\n\nSHA-1 Filename Detection Description\r\n02D32978543B9DD1303E\r\n5B020F52D24D5EABA52E\r\nAtokLib.dll Win32/MirrorFace.A ANELLDR.\r\n2FB3B8099499FEE03EA7\r\n064812645AC781AFD502\r\nCodeStartUser.bat Win32/MirrorFace.A\r\nMalicious batch\r\nfile.\r\n9B2B9A49F52B37927E6A\r\n9F4D6DDB180BE8169C5F\r\nerBkVRZT.bat Win32/MirrorFace.A\r\nMalicious batch\r\nfile.\r\nAB65C08DA16A45565DBA\r\n930069B5FC5A56806A4C\r\nuseractivitybroker.xml Win32/ FaceXInjector.A FaceXInjector.\r\n875DC27963F8679E7D8B\r\nF53A7E69966523BC36BC\r\ntemp.log Win32/MirrorFace.A\r\nMalicious CAB\r\nfile.\r\n694B1DD3187E876C5743\r\nA0E0B83334DBD18AC9EB\r\ntmp.docx Win32/MirrorFace.A\r\nDecoy Word\r\ndocument\r\nloading\r\nmalicious\r\ntemplate\r\nnormal_.dotm.\r\nF5BA545D4A1683675698\r\n9A3AB32F3F6C5D5AD8FF\r\nnormal_.dotm Win32/MirrorFace.A\r\nWord template\r\nwith malicious\r\nVBA code.\r\n233029813051D20B61D0\r\n57EC4A56337E9BEC40D2\r\nThe EXPO Exhibition\r\nin Japan in\r\n2025.docx.lnk\r\nWin32/MirrorFace.A\r\nMalicious LNK\r\nfile.\r\n8361F7DBF81093928DA5\r\n4E3CBC11A0FCC2EEB55A\r\nThe EXPO Exhibition\r\nin Japan in 2025.zip\r\nWin32/MirrorFace.A\r\nMalicious ZIP\r\narchive.\r\n1AFDCE38AF37B9452FB4\r\nAC35DE9FCECD5629B891\r\nNK9C4PH_.zip Win32/MirrorFace.A\r\nMalicious ZIP\r\narchive.\r\nE3DA9467D0C89A9312EA\r\n199ECC83CDDF3607D8B1\r\nN/A MSIL/Riskware.Rubeus.A Rubeus tool.\r\nD2C25AF9EE6E60A341B0\r\nC93DD97566FB532BFBE8\r\nTk4AJbXk.wsb Win32/MirrorFace.A\r\nMalicious\r\nWindows\r\nSandbox\r\nconfiguration\r\nfile.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 15 of 20\n\nNetwork\r\nIP Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\nN/A\r\nvu4fleh3yd4ehpfpc\r\niinnwbnh4b77rdeyp\r\nubhqr2dgfibjtvxpd\r\nxozid[.]onion\r\nN/A 2024‑08‑28\r\nMirrorFace’s\r\nAsyncRAT C\u0026C\r\nserver.\r\nN/A\r\nu4mrhg3y6jyfw2dmm\r\n2wnocz3g3etp2xc5t\r\nhzx77uelk7mrk7qtj\r\nmc6qd[.]onion\r\nN/A 2024‑08‑28\r\nMirrorFace’s\r\nAsyncRAT C\u0026C\r\nserver.\r\n45.32.116[.]146 N/A\r\nThe Constant\r\nCompany, LLC\r\n2024‑08‑27\r\nANEL C\u0026C\r\nserver.\r\n64.176.56[.]26 N/A\r\nThe Constant\r\nCompany, LLC\r\nN/A\r\nRemote server\r\nfor FRP client.\r\n104.233.167[.]135 N/A PEG-TKY1 2024‑08‑27\r\nHiddenFace\r\nC\u0026C server.\r\n152.42.202[.]137 N/A\r\nDigitalOcean,\r\nLLC\r\n2024‑08‑27\r\nHiddenFace\r\nC\u0026C server.\r\n208.85.18[.]4 N/A\r\nThe Constant\r\nCompany, LLC\r\n2024‑08‑27\r\nANEL C\u0026C\r\nserver.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001 Develop Capabilities: Malware\r\nMirrorFace has developed custom\r\ntools such as HiddenFace.\r\nT1585.002\r\nEstablish Accounts: Email\r\nAccounts\r\nMirrorFace created a Gmail account\r\nand used it to send a spearphishing\r\nemail.\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nMirrorFace created a OneDrive\r\naccount to host malicious files.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 16 of 20\n\nTactic ID Name Description\r\nT1588.001 Obtain Capabilities: Malware\r\nMirrorFace utilized and customized a\r\npublicly available RAT, AsyncRAT,\r\nfor its operations.\r\nT1588.002 Obtain Capabilities: Tool\r\nMirrorFace utilized Hidden Start in its\r\noperations.\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nMirrorFace sent a spearphishing email\r\nwith a malicious OneDrive link.\r\nExecution\r\nT1053.005\r\nScheduled Task/Job: Scheduled\r\nTask\r\nMirrorFace used scheduled tasks to\r\nexecute HiddenFace and AsyncRAT.\r\nT1059.001\r\nCommand-Line Interface:\r\nPowerShell\r\nMirrorFace used PowerShell\r\ncommands to run Visual Studio\r\nCode’s remote tunnels.\r\nT1059.003\r\nCommand-Line Interface:\r\nWindows Command Shell\r\nMirrorFace used the Windows\r\ncommand shell to ensure persistence\r\nfor HiddenFace.\r\nT1204.001 User Execution: Malicious Link\r\nMirrorFace relied on the target to\r\ndownload a malicious file from a\r\nshared OneDrive link.\r\nT1204.002 User Execution: Malicious File\r\nMirrorFace relied on the target to run\r\na malicious LNK file that deploys\r\nANEL.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nMirrorFace used WMI as an execution\r\nproxy to run ANEL.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nANEL uses one of the startup\r\ndirectories for persistence.\r\nT1574.001\r\nHijack Execution Flow: DLL\r\nSearch Order Hijacking\r\nMirrorFace side-loads ANEL by\r\ndropping a malicious library and a\r\nlegitimate executable (e.g.,\r\nScnCfg32.Exe)\r\nDefense\r\nEvasion\r\nT1027.004\r\nObfuscated Files or Information:\r\nCompile After Delivery\r\nFaceXInjector is compiled on every\r\nscheduled task run.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 17 of 20\n\nTactic ID Name Description\r\nT1027.007\r\nObfuscated Files or Information:\r\nDynamic API Resolution\r\nHiddenFace dynamically resolves the\r\nnecessary APIs upon its startup.\r\nT1027.011\r\nObfuscated Files or Information:\r\nFileless Storage\r\nHiddenFace is stored in a registry key\r\non the compromised machine.\r\nT1055 Process Injection\r\nFaceXInjector is used to inject\r\nHiddenFace into a legitimate\r\nWindows utility.\r\nT1070.004 Indicator Removal: File Deletion\r\nOnce HiddenFace is moved to the\r\nregistry, the file in which it was\r\ndelivered is deleted.\r\nT1070.006 Indicator Removal: Timestomp\r\nHiddenFace can timestomp files in\r\nselected directories.\r\nT1112 Modify Registry\r\nFaceXInjector creates a registry key\r\ninto which it stores HiddenFace.\r\nT1127.001\r\nTrusted Developer Utilities:\r\nMSBuild\r\nMSBuild is abused to execute\r\nFaceXInjector.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nHiddenFace reads external modules\r\nfrom an AES-encrypted file.\r\nT1622 Debugger Evasion\r\nHiddenFace checks whether it is being\r\ndebugged.\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nMirrorFace hid directories with\r\nAsyncRAT.\r\nT1564.003 Hide Artifacts: Hidden Window\r\nMirrorFace attempted to use the tool\r\nHidden Start, which can hide\r\nwindows.\r\nT1564.006\r\nHide Artifacts: Run Virtual\r\nInstance\r\nMirrorFace used Windows Sandbox to\r\nrun AsyncRAT.\r\nT1070.001\r\nIndicator Removal: Clear\r\nWindows Event Logs\r\nMirrorFace cleared Windows event\r\nlogs to destroy evidence of its actions.\r\nT1036.007\r\nMasquerading: Double File\r\nExtension\r\nMirrorFace used a so-called double\r\nfile extension, .docx.lnk, to deceive its\r\ntarget.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nT1218 Signed Binary Proxy Execution\r\nMirrorFace used wlrmdr.exe as an\r\nexecution proxy to run ANEL.\r\nT1221 Template Injection\r\nMirrorFace used Word template\r\ninjection to run malicious VBA code.\r\nDiscovery\r\nT1012 Query Registry\r\nHiddenFace queries the registry for\r\nmachine-specific information such as\r\nthe machine ID.\r\nT1033 System Owner/User Discovery\r\nHiddenFace determines the currently\r\nlogged in user’s name and sends it to\r\nthe C\u0026C server.\r\nT1057 Process Discovery\r\nHiddenFace checks currently running\r\nprocesses.\r\nT1082 System Information Discovery\r\nHiddenFace gathers various system\r\ninformation and sends it to the C\u0026C\r\nserver.\r\nT1124 System Time Discovery\r\nHiddenFace determines the system\r\ntime and sends it to the C\u0026C server.\r\nT1087.002\r\nAccount Discovery: Domain\r\nAccount\r\nMirrorFace used the tool csvde to\r\nexport data from Active Directory\r\nDomain Services.\r\nCollection\r\nT1115 Clipboard Data\r\nHiddenFace collects clipboard data\r\nand sends it to the C\u0026C server.\r\nT1113 Screen Capture\r\nANEL can take a screenshot and send\r\nit to the C\u0026C server.\r\nCommand and\r\nControl\r\nT1001.001 Data Obfuscation: Junk Data\r\nHiddenFace adds junk data to the\r\nmessages sent to the C\u0026C server.\r\nT1568.002\r\nDynamic Resolution: Domain\r\nGeneration Algorithms\r\nHiddenFace uses a DGA to generate\r\nC\u0026C server domain names.\r\nT1573 Encrypted Channel\r\nHiddenFace communicates with its\r\nC\u0026C server over an encrypted\r\nchannel.\r\nT1071.001\r\nStandard Application Layer\r\nProtocol: Web Protocols\r\nANEL uses HTTP to communicate\r\nwith its C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nANEL uses base64 to encode data\r\nsent to the C\u0026C server.\r\nExfiltration\r\nT1030 Data Transfer Size Limits\r\nHiddenFace can, upon operator\r\nrequest, split data and send it in\r\nchunks to the C\u0026C server.\r\nT1041 Exfiltration Over C2 Channel\r\nHiddenFace exfiltrates requested data\r\nto the C\u0026C server.\r\nSource: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/\r\nPage 20 of 20\n\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/ \nFigure 3. Second email sent by MirrorFace, containing a link to a malicious ZIP archive hosted on\nOneDrive \nOnce opened, the LNK file launches a complex compromise chain, depicted in Figure 4 and Figure 5.\n Page 6 of 20 \n\nhttps://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/ \nSHA-1 Filename Detection Description\n02D32978543B9DD1303E \n AtokLib.dll Win32/MirrorFace.A ANELLDR.\n5B020F52D24D5EABA52E \n2FB3B8099499FEE03EA7 Malicious batch\n CodeStartUser.bat Win32/MirrorFace.A \n064812645AC781AFD502 file.\n9B2B9A49F52B37927E6A Malicious batch\n erBkVRZT.bat Win32/MirrorFace.A \n9F4D6DDB180BE8169C5F file.\nAB65C08DA16A45565DBA \n useractivitybroker.xml Win32/ FaceXInjector.A FaceXInjector.\n930069B5FC5A56806A4C \n875DC27963F8679E7D8B Malicious CAB\n temp.log Win32/MirrorFace.A \nF53A7E69966523BC36BC file.\n Decoy Word\n document\n694B1DD3187E876C5743 loading\n tmp.docx Win32/MirrorFace.A \nA0E0B83334DBD18AC9EB malicious\n template\n normal_.dotm.\n Word template\nF5BA545D4A1683675698 \n normal_.dotm Win32/MirrorFace.A with malicious\n9A3AB32F3F6C5D5AD8FF \n VBA code.\n The EXPO Exhibition \n233029813051D20B61D0 Malicious LNK\n in Japan in Win32/MirrorFace.A \n57EC4A56337E9BEC40D2 file.\n 2025.docx.lnk \n8361F7DBF81093928DA5 The EXPO Exhibition Malicious ZIP\n Win32/MirrorFace.A \n4E3CBC11A0FCC2EEB55A in Japan in 2025.zip archive.\n1AFDCE38AF37B9452FB4 Malicious ZIP\n NK9C4PH_.zip Win32/MirrorFace.A \nAC35DE9FCECD5629B891 archive.\nE3DA9467D0C89A9312EA \n N/A MSIL/Riskware.Rubeus.A Rubeus tool.\n199ECC83CDDF3607D8B1 \n Malicious\n Windows\nD2C25AF9EE6E60A341B0 \n Tk4AJbXk.wsb Win32/MirrorFace.A Sandbox\nC93DD97566FB532BFBE8 \n configuration\n file.\n Page 15 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/" ], "report_names": [ "operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434627, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d8e462c7701b519d88b071e9424999e5ca35a784.pdf", "text": "https://archive.orkl.eu/d8e462c7701b519d88b071e9424999e5ca35a784.txt", "img": "https://archive.orkl.eu/d8e462c7701b519d88b071e9424999e5ca35a784.jpg" } }