In August 2024, ESET researchers detected cyberespionage activity carried out by the China-aligned MirrorFace advanced persistent threat (APT) group against a Central European diplomatic institute in relation to Expo 2025, which will be held in Osaka, Japan.
Known primarily for its cyberespionage activities against organizations in Japan, to the best of our knowledge, this is the first time MirrorFace intended to infiltrate a European entity. The campaign, which we uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon), showcases refreshed tactics, techniques, and procedures (TTPs) that we observed throughout 2024: the introduction of new tools (such as a customized AsyncRAT), the resurrection of ANEL, and a complex execution chain.
In this blogpost, we present details of the Operation AkaiRyū attacks and findings from our investigation of the diplomatic institute case, including data from our forensic analysis. ESET Research presented the results of this analysis at the Joint Security Analyst Conference (JSAC) in January 2025.
Key points of this blogpost:
- MirrorFace has refreshed its TTPs and tooling.
- MirrorFace has started using ANEL, a backdoor previously associated exclusively with APT10.
- MirrorFace has started deploying a heavily customized variant of AsyncRAT, using a complex execution chain to run it inside Windows Sandbox.
- To our knowledge, MirrorFace targeted a European entity for the first time.
- We collaborated with the affected Central European diplomatic institute and performed a forensic investigation.
- The findings obtained during that investigation have provided us with better insight into MirrorFace’s post-compromise activities.
MirrorFace profile
MirrorFace, also known as Earth Kasha, is a China-aligned threat actor until now almost exclusively targeting companies and organizations in Japan but also some located elsewhere that have relationships with Japan. As explained in this blogpost, we now consider MirrorFace to be a subgroup under the APT10 umbrella. MirrorFace has been active since at least 2019 and has been reported to target media, defense-related companies, think tanks, diplomatic organizations, financial institutions, academic institutions, and manufacturers. In 2022, we discovered a MirrorFace spearphishing campaign targeting Japanese political entities.
MirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the LODEINFO and HiddenFace backdoors. In the 2024 activities analyzed in this blogpost, MirrorFace started using APT10’s former signature backdoor, ANEL, in its operations as well.
Overview
Much like previous MirrorFace attacks, Operation AkaiRyū began with carefully crafted spearphishing emails designed to entice recipients to open malicious attachments. Our findings suggest that despite this group’s foray beyond the borders of its usual hunting ground, the threat actor still maintains a strong focus on Japan and events tied to the country. However, this is not the first time MirrorFace has been reported to operate outside of Japan: Trend Micro and the Vietnamese National Cyber Security Center (document in Vietnamese) reported on such cases in Taiwan, India, and Vietnam.
ANEL’s comeback
During our analysis of Operation AkaiRyū, we discovered that MirrorFace has significantly refreshed its TTPs and tooling. MirrorFace started using ANEL (also referred to as UPPERCUT) – a backdoor considered exclusive to APT10 – which is surprising, as it was believed that ANEL was abandoned around the end of 2018 or the start of 2019 and that LODEINFO succeeded it, appearing later in 2019. The small difference in version numbers between 2018 and 2024 ANELs, 5.5.0 and 5.5.4, and the fact that APT10 used to update ANEL every few months, strongly suggest that the development of ANEL has restarted.
The use of ANEL also provides further evidence in the ongoing debate about the potential connection between MirrorFace and APT10. The fact that MirrorFace has started using ANEL, and the other previously known information, such as similar targeting and malware code similarities, led us to make a change in our attribution: we now believe that MirrorFace is a subgroup under the APT10 umbrella. This attribution change aligns our thinking with other researchers who already consider MirrorFace to be a part of APT10, such as those at Macnica (report in Japanese), Kaspersky, ITOCHU Cyber & Intelligence Inc., and Cybereason. Others, as at Trend Micro, as of now still consider MirrorFace to be only potentially related to APT10.
First use of AsyncRAT and Visual Studio Code by MirrorFace
In 2024, MirrorFace also deployed a heavily customized variant of AsyncRAT, embedding this malware into a newly observed, intricate execution chain that runs the RAT inside Windows Sandbox. This method effectively obscures the malicious activities from security controls and hamstrings efforts to detect the compromise.
In parallel to the malware, MirrorFace also started deploying Visual Studio Code (VS Code) to abuse its remote tunnels feature. Remote tunnels enable MirrorFace to establish stealthy access to the compromised machine, execute arbitrary code, and deliver other tools. MirrorFace is not the only APT group abusing VS Code: Tropic Trooper and Mustang Panda have also been reported using it in their attacks.
Additionally, MirrorFace continued to employ its current flagship backdoor, HiddenFace, further bolstering persistence on compromised machines. While ANEL is used by MirrorFace as the first-line backdoor, right after the target has been compromised, HiddenFace is deployed in the later stages of the attack. It is also worth noting that in 2024 we didn’t observe any use of LODEINFO, another backdoor used exclusively by MirrorFace.
Forensic analysis of the compromise
We contacted the affected institute to inform them about the attack and to clean up the compromise as soon as possible. The institute collaborated closely with us during and after the attack, and additionally provided us with the disk images from the compromised machines. This enabled us to perform forensic analyses on those images and uncover further MirrorFace activity.
ESET Research provided more technical details about ANEL’s return to ESET Threat Intelligence customers on September 4th, 2024. Trend Micro published their findings on then-recent MirrorFace activities on October 21st, 2024 in Japanese and on November 26th, 2024 in English: these overlap with Operation AkaiRyū and also mention the return of the ANEL backdoor. Furthermore, in January 2025, the Japanese National Police Agency (NPA) published a warning about MirrorFace activities to organizations, businesses, and individuals in Japan. Operation AkaiRyū corresponds with Campaign C, as mentioned in the Japanese version of NPA’s warning. However, NPA mentions the targeting of Japanese entities exclusively – individuals and organizations mainly related to academia, think tanks, politics, and the media.
In addition to Trend Micro’s report and NPA’s warning, we provide an exclusive analysis of MirrorFace post-compromise activities, which we were able to observe thanks to the close cooperation of the affected organization. This includes the deployment of a heavily customized AsyncRAT, abuse of VS Code remote tunnels, and details on the execution chain that runs malware inside Windows Sandbox to avoid detection and hide the performed actions.
In this blogpost, we cover two distinct cases: a Central European diplomatic institute and a Japanese research institute. Even though MirrorFace’s overall approach is the same in both cases, there are notable differences in the initial access process; hence we describe them both.
Technical analysis
Between June and September 2024, we observed MirrorFace conducting multiple spearphishing campaigns. Based on our data, the attackers primarily gained initial access by tricking targets into opening malicious attachments or links, then they leveraged legitimate applications and tools to stealthily install their malware.
Initial access
We weren’t able to determine the initial attack vector for all the cases observed in 2024. However, based on the data available to us, we assume that spearphishing was the only attack vector used by MirrorFace. The group impersonates trusted organizations or individuals to convince recipients to open documents or click links. The following findings on initial access align with those in the Trend Micro article, although they are not entirely the same.
Specifically, in Operation AkaiRyū, MirrorFace abused both McAfee-developed applications and also one developed by JustSystems to run ANEL. While Trend Micro reported Windows Management Instrumentation (WMI) and explorer.exe as the execution proxy pair for ANEL, we unearthed another pair: WMI and wlrmdr.exe (Windows logon reminder). We also provide an email conversation between a disguised MirrorFace operator and a target.
Case 1: Japanese research institute
On June 20th, 2024, MirrorFace targeted two employees of a Japanese research institute, using a malicious, password-protected Word document delivered in an unknown manner.
The documents triggered VBA code on a simple mouseover event – the malicious code was triggered by moving the mouse over text boxes placed in the document. It then abused a signed McAfee executable to load ANEL (version 5.5.4) into memory. The compromise chain is depicted in Figure 1.
Case 2: Central European diplomatic institute
On August 26th, 2024, MirrorFace targeted a Central European diplomatic institute. To our knowledge, this is the first, and, to date, only time MirrorFace has targeted an entity in Europe.
MirrorFace operators set up their spearphishing attack by crafting an email message (shown in Figure 2) that references a previous, legitimate interaction between the institute and a Japanese NGO. The legitimate interaction was probably obtained from a previous campaign. As can be seen, this spearphishing set up message refers to the upcoming Expo 2025 exhibition, an event that will be held in Japan.
This first email was harmless, but once the target responded, MirrorFace operators sent an email message with a malicious OneDrive link leading to a ZIP archive with a LNK file disguised as a Word document named The EXPO Exhibition in Japan in 2025.docx.lnk. This second message is shown in Figure 3. Using this approach, MirrorFace concealed the payload until the target was engaged in the spearphishing scheme.
Once opened, the LNK file launches a complex compromise chain, depicted in Figure 4 and Figure 5.
The LNK file runs cmd.exe with a set of PowerShell commands to drop additional files, including a malicious Word file, tmp.docx, which loads a malicious Word template, normal_.dotm, containing VBA code. The contents of the Word document tmp.docx are depicted in Figure 6, and probably are intended to act as a decoy, while malicious actions are running in the background.
The VBA code extracts a legitimately signed application from JustSystems Corporation to side-load and decrypt the ANEL backdoor (version 5.5.5). This gave MirrorFace a foothold to begin post-compromise operations.
Toolset
In Operation AkaiRyū, MirrorFace relied not only on its custom malware, but also on various tools and a customized variant of a publicly available remote access trojan (RAT).
ANEL
ANEL (also known as UPPERCUT) is a backdoor that was previously associated exclusively with APT10. In 2024, MirrorFace started using ANEL as its first-line backdoor. ANEL’s development, until 2018, was described most recently in Secureworks’ JSAC 2019 presentation. The ANEL variants observed in 2024 were publicly described by Trend Micro.
ANEL is a backdoor, only found on disk in an encrypted form, and whose decrypted DLL form is only ever found in memory once a loader has decrypted it in preparation for execution. ANEL communicates with its C&C server over HTTP, where the transmitted data is encrypted to protect it in case the communication is being captured. ANEL supports basic commands for file manipulation, payload execution, and taking a screenshot.
ANELLDR
ANELLDR is a loader exclusively used to decrypt the ANEL backdoor and run it in memory. Trend Micro described ANELLDR in their article.
HiddenFace
HiddenFace is MirrorFace’s current flagship backdoor, with a heavy focus on modularity; we described it in detail in this JSAC 2024 presentation.
FaceXInjector
FaceXInjector is a C# injection tool stored in an XML file, compiled and executed by the Microsoft MSBuild utility, and used to exclusively execute HiddenFace. We described FaceXInjector in the same JSAC 2024 presentation dedicated to HiddenFace.
AsyncRAT
AsyncRAT is a RAT publicly available on GitHub. In 2024, we detected that MirrorFace started using a heavily customized AsyncRAT in the later stages of its attacks. The group ensures AsyncRAT’s persistence by registering a scheduled task that executes at machine startup; once triggered, a complex chain (depicted in Figure 7) launches AsyncRAT inside Windows Sandbox, which must be manually enabled and requires a reboot. We were unable to determine how MirrorFace enables this feature.
The following files are delivered to the compromised machine in order to successfully execute AsyncRAT:
- 7z.exe – legitimate 7-Zip executable.
- 7z.dll – legitimate 7-Zip library.
.7z – password-protected 7z archive containing AsyncRAT, named setup.exe..bat – batch script that unpacks AsyncRAT and runs it..wsb – Windows Sandbox configuration file to run.bat .
The triggered scheduled task executes Windows Sandbox with
In particular, the config file defines whether to enable networking and directory mapping, the dedicated memory size, and the command to execute on launch. In the file shown in Figure 8, a batch file located in the sandbox folder is executed. The batch file extracts AsyncRAT from the 7z archive, then creates and launches a scheduled task that executes AsyncRAT every hour.
The AsyncRAT variant used by MirrorFace is heavily customized. The following are the main features and changes introduced by MirrorFace:
- Sample tagging – AsyncRAT can be compiled for a specific victim and MirrorFace can add a tag to the configuration to mark the sample. If the tag is not specified, the machine’s NetBIOS name is used as the tag. This tag is further used in other introduced features as well.
- Connection to a C&C server via Tor – MirrorFace’s AsyncRAT can download and start a Tor client, and proxy its communication with a C&C server through the client. AsyncRAT selects this option only if the hardcoded C&C domains end with .onion. This approach was selected in both samples we observed during the investigation of Case 2: Central European diplomatic institute.
- Domain generation algorithm (DGA) – An alternative to using Tor, this variant can use a DGA to generate a C&C domain. The DGA can also generate machine-specific domains using the aforementioned tag. Note that HiddenFace also uses a DGA with the possibility of generating machine-specific domains, although the DGA used in HiddenFace differs from the AsyncRAT one.
- Working time – Before connecting to a C&C server, AsyncRAT checks whether the current hour and day of the week are within operating hours and days defined in the configuration. Note that MirrorFace’s AsyncRAT shares this feature with HiddenFace as well.
Visual Studio Code remote tunnels
Visual Studio Code is a free source-code editor developed by Microsoft. Visual Studio Code’s remote development feature, remote tunnels, allows developers to run Visual Studio Code locally and connect to a development machine that hosts the source code and debugging environment. Threat actors can misuse this to gain remote access, execute code, and deliver tools to a compromised machine. MirrorFace has been doing so since 2024; however, it is not the only APT group that has used such remote tunnels: other China-aligned APT groups such as Tropic Trooper and Mustang Panda have also used them in their attacks.
Post-compromise activities
Our investigation into Case 2: Central European diplomatic institute uncovered some of MirrorFace’s post-compromise activities. Through close collaboration with the institute, we gained better insight into the malware and tools deployed by MirrorFace, as seen in Table 1.
Note that the malware and tools are ordered in the table for easier comparison of what was deployed on each of the two identified compromised machines but doesn’t reflect how they were deployed chronologically.
Table 1. Malware and tools deployed by MirrorFace throughout the attack
| Tools | Notes | Machine A | Machine B |
| ANEL | APT10’s backdoor that MirrorFace uses as a first-line backdoor. | ● | ● |
| PuTTY | An open-source terminal emulator, serial console, and network file transfer application. | ● | ● |
| VS Code | A code editor developed by Microsoft. | ● | ● |
| HiddenFace | MirrorFace’s flagship backdoor. | ● | ● |
| Second HiddenFace variant | MirrorFace’s flagship backdoor. | ● | |
| AsyncRAT | RAT publicly available on GitHub. | ● | ● |
| Hidden Start | A tool that can be used to bypass UAC, hide Windows consoles, and run programs in the background. | ● | |
| csvde | Legitimate Microsoft tool available on Windows servers that imports and exports data from Active Directory Domain Services (AD DS). | ● | |
| Rubeus | Toolset for Kerberos interaction and abuse, publicly available on GitHub. | ● | |
| frp | Fast reverse proxy publicly available on GitHub. | ● | |
| Unknown tool | Disguised under the name oneuu.exe. We were unable to recover the tool during our analysis. | ● |
The group selectively deployed post-compromise tools according to its objectives and the target’s environment. Machine A belonged to a project coordinator and Machine B to an IT employee. The data available to us suggests that MirrorFace stole personal data from Machine A and sought deeper network access on Machine B, aligning the assumed objectives with the employees’ roles.
Day 0 – August 27th, 2024
MirrorFace operators sent an email with a malicious link on August 26th, 2024 to the institute’s CEO. However, since the CEO didn’t have access to a machine running Windows, the CEO forwarded the email to two other employees. Both opened the harmful LNK file, The EXPO Exhibition in Japan in 2025.docx.lnk, the next day, compromising two institute machines and leading to the deployment of ANEL. Thus, we consider August 27th, 2024, as Day 0 of the compromise. No additional activity was observed beyond this foothold establishment.
Day 1 – August 28th, 2024
The next day, MirrorFace returned and continued with its activities. The group deployed several tools for access, control, and file delivery on both compromised machines. Among the tools deployed were PuTTY, VS Code, and HiddenFace – MirrorFace’s current flagship backdoor. On Machine A, MirrorFace also attempted to deploy the tool Hidden Start. On Machine B, the actor additionally deployed csvde and the customized variant of AsyncRAT.
Day 2 – August 29th, 2024
On Day 2, MirrorFace was active on both machines. This included deploying more tools. On Machine A, MirrorFace deployed a second instance of HiddenFace. On Machine B, VS Code’s remote tunnel, HiddenFace, and AsyncRAT were executed. Besides these, MirrorFace also deployed and executed frp and Rubeus via HiddenFace. This is the last day on which we observed any MirrorFace activity on Machine B.
Day 3 – August 30th, 2024
MirrorFace remained active only on Machine A. The institute, having started attack mitigation measures on August 29th, 2024, might have prevented further MirrorFace activity on Machine B. On Machine A, the group deployed AsyncRAT and tried to maintain persistence by registering a scheduled task.
Day 6 – September 2nd, 2024
Over the weekend, i.e., on August 31st and September 1st, 2024, Machine A was inactive. On Monday, September 2nd, 2024, Machine A was booted and with it MirrorFace’s activity resumed as well. The main event of Day 6 was that the group exported Google Chrome’s web data such as contact information, keywords, autofill data, and stored credit card information into a SQLite database file. We were unable to determine how MirrorFace exported the data, and whether or how the data was exfiltrated.
Conclusion
In 2024, MirrorFace refreshed its TTPs and tooling. It started using ANEL – believed to have been abandoned around 2018/2019 – as its first-line backdoor. Combined with other information, we conclude that MirrorFace is a subgroup under the APT10 umbrella. Besides ANEL, MirrorFace has also started using other tools such as a heavily customized AsyncRAT, Windows Sandbox, and VS Code remote tunnels.
As a part of Operation AkaiRyū, MirrorFace targeted a Central European diplomatic institute – to the best of our knowledge, this is the first time the group has attacked an entity in Europe – using the same refreshed TTPs seen across its 2024 campaigns. During this attack, the threat actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This shows that even considering this new broader geographic targeting, MirrorFace remains focused on Japan and events related to it.
Our close collaboration with the affected organization provided a rare, in-depth view of post-compromise activities that would have otherwise gone unseen. However, there are still a lot of missing pieces of the puzzle to draw a complete picture of the activities. One of the reasons is MirrorFace’s improved operational security, which has become more thorough and hinders incident investigations by deleting the delivered tools and files, clearing Windows event logs, and running malware in Windows Sandbox.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
IoCs
A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| 018944FC47EE2329B23B | 3b3cabc5 | Win32/MirrorFace.A | AES-encrypted ANEL. |
| 68B72DA59467B1BB477D | vsodscpl.dll | Win32/MirrorFace.A | ANELLDR. |
| 02D32978543B9DD1303E | AtokLib.dll | Win32/MirrorFace.A | ANELLDR. |
| 2FB3B8099499FEE03EA7 | CodeStartUser.bat | Win32/MirrorFace.A | Malicious batch file. |
| 9B2B9A49F52B37927E6A | erBkVRZT.bat | Win32/MirrorFace.A | Malicious batch file. |
| AB65C08DA16A45565DBA | useractivitybroker.xml | Win32/ FaceXInjector.A | FaceXInjector. |
| 875DC27963F8679E7D8B | temp.log | Win32/MirrorFace.A | Malicious CAB file. |
| 694B1DD3187E876C5743 | tmp.docx | Win32/MirrorFace.A | Decoy Word |
| F5BA545D4A1683675698 | normal_.dotm | Win32/MirrorFace.A | Word template with |
| 233029813051D20B61D0 | The EXPO | Win32/MirrorFace.A | Malicious LNK file. |
| 8361F7DBF81093928DA5 | The EXPO | Win32/MirrorFace.A | Malicious ZIP archive. |
| 1AFDCE38AF37B9452FB4 | NK9C4PH_.zip | Win32/MirrorFace.A | Malicious ZIP archive. |
| E3DA9467D0C89A9312EA | N/A | MSIL/Riskware.Rubeus.A | Rubeus tool. |
| D2C25AF9EE6E60A341B0 | Tk4AJbXk.wsb | Win32/MirrorFace.A | Malicious Windows |
Network
| IP | Domain | Hosting provider | First seen | Details |
| N/A | vu4fleh3yd4ehpfpc | N/A | 2024‑08‑28 | MirrorFace’s AsyncRAT C&C server. |
| N/A | u4mrhg3y6jyfw2dmm | N/A | 2024‑08‑28 | MirrorFace’s AsyncRAT C&C server. |
| 45.32.116[.]146 | N/A | The Constant Company, LLC | 2024‑08‑27 | ANEL C&C server. |
| 64.176.56[.]26 | N/A | The Constant Company, LLC | N/A | Remote server for FRP client. |
| 104.233.167[.]135 | N/A | PEG-TKY1 | 2024‑08‑27 | HiddenFace C&C server. |
| 152.42.202[.]137 | N/A | DigitalOcean, LLC | 2024‑08‑27 | HiddenFace C&C server. |
| 208.85.18[.]4 | N/A | The Constant Company, LLC | 2024‑08‑27 | ANEL C&C server. |
MITRE ATT&CK techniques
This table was built using version 16 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
| Resource Development | T1587.001 | Develop Capabilities: Malware | MirrorFace has developed custom tools such as HiddenFace. |
| T1585.002 | Establish Accounts: Email Accounts | MirrorFace created a Gmail account and used it to send a spearphishing email. | |
| T1585.003 | Establish Accounts: Cloud Accounts | MirrorFace created a OneDrive account to host malicious files. | |
| T1588.001 | Obtain Capabilities: Malware | MirrorFace utilized and customized a publicly available RAT, AsyncRAT, for its operations. | |
| T1588.002 | Obtain Capabilities: Tool | MirrorFace utilized Hidden Start in its operations. | |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | MirrorFace sent a spearphishing email with a malicious OneDrive link. |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task | MirrorFace used scheduled tasks to execute HiddenFace and AsyncRAT. |
| T1059.001 | Command-Line Interface: PowerShell | MirrorFace used PowerShell commands to run Visual Studio Code’s remote tunnels. | |
| T1059.003 | Command-Line Interface: Windows Command Shell | MirrorFace used the Windows command shell to ensure persistence for HiddenFace. | |
| T1204.001 | User Execution: Malicious Link | MirrorFace relied on the target to download a malicious file from a shared OneDrive link. | |
| T1204.002 | User Execution: Malicious File | MirrorFace relied on the target to run a malicious LNK file that deploys ANEL. | |
| T1047 | Windows Management Instrumentation | MirrorFace used WMI as an execution proxy to run ANEL. | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | ANEL uses one of the startup directories for persistence. |
| T1574.001 | Hijack Execution Flow: DLL Search Order Hijacking | MirrorFace side-loads ANEL by dropping a malicious library and a legitimate executable (e.g., ScnCfg32.Exe) | |
| Defense Evasion | T1027.004 | Obfuscated Files or Information: Compile After Delivery | FaceXInjector is compiled on every scheduled task run. |
| T1027.007 | Obfuscated Files or Information: Dynamic API Resolution | HiddenFace dynamically resolves the necessary APIs upon its startup. | |
| T1027.011 | Obfuscated Files or Information: Fileless Storage | HiddenFace is stored in a registry key on the compromised machine. | |
| T1055 | Process Injection | FaceXInjector is used to inject HiddenFace into a legitimate Windows utility. | |
| T1070.004 | Indicator Removal: File Deletion | Once HiddenFace is moved to the registry, the file in which it was delivered is deleted. | |
| T1070.006 | Indicator Removal: Timestomp | HiddenFace can timestomp files in selected directories. | |
| T1112 | Modify Registry | FaceXInjector creates a registry key into which it stores HiddenFace. | |
| T1127.001 | Trusted Developer Utilities: MSBuild | MSBuild is abused to execute FaceXInjector. | |
| T1140 | Deobfuscate/Decode Files or Information | HiddenFace reads external modules from an AES-encrypted file. | |
| T1622 | Debugger Evasion | HiddenFace checks whether it is being debugged. | |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | MirrorFace hid directories with AsyncRAT. | |
| T1564.003 | Hide Artifacts: Hidden Window | MirrorFace attempted to use the tool Hidden Start, which can hide windows. | |
| T1564.006 | Hide Artifacts: Run Virtual Instance | MirrorFace used Windows Sandbox to run AsyncRAT. | |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | MirrorFace cleared Windows event logs to destroy evidence of its actions. | |
| T1036.007 | Masquerading: Double File Extension | MirrorFace used a so-called double file extension, .docx.lnk, to deceive its target. | |
| T1218 | Signed Binary Proxy Execution | MirrorFace used wlrmdr.exe as an execution proxy to run ANEL. | |
| T1221 | Template Injection | MirrorFace used Word template injection to run malicious VBA code. | |
| Discovery | T1012 | Query Registry | HiddenFace queries the registry for machine-specific information such as the machine ID. |
| T1033 | System Owner/User Discovery | HiddenFace determines the currently logged in user’s name and sends it to the C&C server. | |
| T1057 | Process Discovery | HiddenFace checks currently running processes. | |
| T1082 | System Information Discovery | HiddenFace gathers various system information and sends it to the C&C server. | |
| T1124 | System Time Discovery | HiddenFace determines the system time and sends it to the C&C server. | |
| T1087.002 | Account Discovery: Domain Account | MirrorFace used the tool csvde to export data from Active Directory Domain Services. | |
| Collection | T1115 | Clipboard Data | HiddenFace collects clipboard data and sends it to the C&C server. |
| T1113 | Screen Capture | ANEL can take a screenshot and send it to the C&C server. | |
| Command and Control | T1001.001 | Data Obfuscation: Junk Data | HiddenFace adds junk data to the messages sent to the C&C server. |
| T1568.002 | Dynamic Resolution: Domain Generation Algorithms | HiddenFace uses a DGA to generate C&C server domain names. | |
| T1573 | Encrypted Channel | HiddenFace communicates with its C&C server over an encrypted channel. | |
| T1071.001 | Standard Application Layer Protocol: Web Protocols | ANEL uses HTTP to communicate with its C&C server. | |
| T1132.001 | Data Encoding: Standard Encoding | ANEL uses base64 to encode data sent to the C&C server. | |
| Exfiltration | T1030 | Data Transfer Size Limits | HiddenFace can, upon operator request, split data and send it in chunks to the C&C server. |
| T1041 | Exfiltration Over C2 Channel | HiddenFace exfiltrates requested data to the C&C server. |
