Operation AkaiRyū: Europe invited to Expo 2025 and ANEL backdoor revived

March 19, 2025, 9:34 a.m.

Description

Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with APT10. MirrorFace employed spearphishing emails with malicious attachments or links to gain initial access. The attackers used legitimate applications to stealthily install malware, including ANEL, HiddenFace, and AsyncRAT. They also abused Visual Studio Code's remote tunnels feature for stealthy access. The campaign showcased complex execution chains and the use of Windows Sandbox to avoid detection. This operation provides evidence that MirrorFace is likely a subgroup under the APT10 umbrella.

Date

  • Created: March 18, 2025, 8:59 p.m.
  • Published: March 18, 2025, 8:59 p.m.
  • Modified: March 19, 2025, 9:34 a.m.

Indicators

  • 5.8.95.174
  • 104.233.167.135
  • xozid.onion
  • vu4fleh3yd4ehpfpciinnwbnh4b77rdeypubhqr2dgfibjtvxpdxozid.onion
  • mc6qd.onion
  • u4mrhg3y6jyfw2dmm2wnocz3g3etp2xc5thzx77uelk7mrk7qtjmc6qd.onion

Attack Patterns

  • FaceXInjector
  • HiddenFace
  • ANEL
  • UPPERCUT - S0275
  • AsyncRAT
  • MirrorFace

Additional Informations

  • Diplomatic
  • Government
  • Japan