China-linked MirrorFace deploys ANEL and AsyncRAT in new cyber espionage operation targeting a diplomatic organization in the European Union

- Threat hunters have provided new details about a malware campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using a backdoor known as ANEL. This attack was detected by ESET in late August 2024 and focused on a Central European diplomatic institute, using themes related to the upcoming Word Expo in Osaka, Japan. - MirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the LODEINFO and HiddenFace backdoors. In the 2024 activities analyzed in this blogpost, MirrorFace started using APT10s former signature backdoor, ANEL, in its operations as well. - The operation has been given the name Operation AkaiRyu, which translates to RedDragon in Japanese. MirrorFace, also known as Earth Kasha, has been active since at least 2019 and is believed to be part of the APT10 group. While typically targeting Japanese entities, this incident marks a shift as it has attacked a European organization. - The intrusion is significant for utilizing a highly customized version of AsyncRAT and ANEL, also referred to as UPPERCUT, a backdoor linked to APT10. The switch from LODEINFO to ANEL is notable as ANEL reappeared after being inactive since late 2018 or early 2019. ESET stated that there is no clear reason for this change, but LODEINFO has not been seen in 2024 or 2025. - Operation AkaiRyu also overlaps with other previously documented campaigns. Changes in tactics include the use of modified AsyncRAT and Visual Studio Code Remote Tunnels to access compromised machines stealthily. The attack methods involve spear-phishing and the deployment of a loader called ANELLDR. However, many details remain unclear due to MirrorFace's improved operational security, which complicates investigations.