Operation AkaiRyū: Europe invited to Expo 2025 and ANEL backdoor revived
March 19, 2025, 9:34 a.m.
Description
Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with APT10. MirrorFace employed spearphishing emails with malicious attachments or links to gain initial access. The attackers used legitimate applications to stealthily install malware, including ANEL, HiddenFace, and AsyncRAT. They also abused Visual Studio Code's remote tunnels feature for stealthy access. The campaign showcased complex execution chains and the use of Windows Sandbox to avoid detection. This operation provides evidence that MirrorFace is likely a subgroup under the APT10 umbrella.
Tags
Date
- Created: March 18, 2025, 8:59 p.m.
- Published: March 18, 2025, 8:59 p.m.
- Modified: March 19, 2025, 9:34 a.m.
Indicators
- 5.8.95.174
- 104.233.167.135
- xozid.onion
- vu4fleh3yd4ehpfpciinnwbnh4b77rdeypubhqr2dgfibjtvxpdxozid.onion
- mc6qd.onion
- u4mrhg3y6jyfw2dmm2wnocz3g3etp2xc5thzx77uelk7mrk7qtjmc6qd.onion
Attack Patterns
- FaceXInjector
- HiddenFace
- ANEL
- UPPERCUT - S0275
- AsyncRAT
- MirrorFace
Additional Informations
- Diplomatic
- Government
- Japan