A nation-backed cyber threat group known as 'MirrorFace' has been detected conducting cyber espionage activities targeting government and public institutions in Japan and Taiwan, deploying a new malware strain called 'ROAMINGMOUSE'.
Global cybersecurity firm Trend Micro detected MirrorFace's attack campaign in March 2025, revealing that the group distributed an updated version of a backdoor referred to as 'ANEL' through targeted spear-phishing attacks.
Trend Micro security researcher Hara Hiroaki analyzed that "The ANEL file discovered in this 2025 campaign implemented a new command to support Beacon Object File (BOF) execution within memory," and added, "There's a potential that this campaign leveraged a tool called 'SharpHide' to execute the second-stage backdoor, 'NOOPDOOR'."
This China-based threat group, also known as 'Earth Kasha', is assessed to be a subgroup of APT10. Previously, in March 2025, another cybersecurity firm, ESET, reported that an EU diplomatic organization was targeted in August 2024 with the ANEL (aka UPPERCUT) malware through a campaign named 'Operation AkaiRyū'.
The current activities targeting various institutions in Japan and Taiwan indicate a continuous expansion of MirrorFace's cyberattack scope. It is analyzed that this hacking group is actively engaged in information theft to achieve their strategic objectives.
The attacks commence with spear-phishing emails, some of which are confirmed to have been sent from legitimately compromised accounts. These emails contain malicious Microsoft OneDrive URLs, and clicking them leads to the download of a ZIP file.
The ZIP archive contains a malicious Excel document and a macro-based downloader codenamed 'ROAMINGMOUSE'. ROAMINGMOUSE serves as a conduit for delivering ANEL-related components and has a history of being used by MirrorFace since the previous year.
Researcher Hara Hiroaki explained, "ROAMINGMOUSE decodes an embedded ZIP file using Base64 encoding, drops the ZIP file onto the disk, and then decompresses it." The list of decompressed files is as follows:
JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (legitimate executable files)
JSFC.dll (ANELLDR)
An encrypted ANEL payload
MSVCR100.dll (a normal DLL dependency file for the executable)
The final objective of the attack chain is to execute a legitimate executable file using explorer.exe, which then loads the malicious DLL file, ANELLDR. ANELLDR is responsible for decrypting and executing the ANEL backdoor.
A notable feature of the ANEL malware used in the 2025 campaign is the addition of a new command that supports the in-memory execution of BOF (Beacon Object File). BOFs are compiled C programs designed to extend the capabilities of Cobalt Strike agents, allowing attackers to perform additional post-exploitation activities on compromised systems.
Trend Micro stated, "After installing the ANEL file, the attackers behind Earth Kasha used backdoor commands to obtain screenshots and investigate the victim's environment." They added, "The attackers appear to be conducting reconnaissance on the compromised system by reviewing screenshots, checking the process list, and querying domain information."
In some instances, there were also indications of the open-source tool 'SharpHide' being utilized to execute a new version of 'NOOPDOOR' (aka HiddenFace), another backdoor previously linked to this hacking group. NOOPDOOR features support for DNS-over-HTTPS (DoH) to conceal IP address lookups during command and control (C2) communication. This suggests that the attackers are continuously developing their techniques to evade detection.
Researcher Hara Hiroaki warned, "Earth Kasha remains an actively operating advanced persistent threat (APT) group and is targeting government and public institutions in Taiwan and Japan in its latest campaign detected in March 2025."
He further emphasized, "Companies and institutions, especially those holding high-value assets such as government-related sensitive data, intellectual property, infrastructure data, and access credentials, must continuously strengthen their vigilance and implement proactive security measures to avoid becoming victims of cyberattacks."
Additional Information:
APT10 (Stone Panda): Assessed to be the parent group of MirrorFace, APT10 is a long-standing China-based cyber espionage group primarily involved in information theft targeting various industries, including government, telecommunications, aerospace, and energy. They are notorious for employing sophisticated attack techniques and concealment methods.
Spear Phishing: A targeted attack technique that focuses on specific individuals or organizations, using emails disguised with content that appeals to their interests to distribute malware or steal critical information. Its higher success rate compared to general phishing makes it a frequent tool for APT groups.
Backdoor: A covertly installed entry point that bypasses normal authentication procedures, allowing unauthorized access to a system. Attackers can use backdoors to remotely control compromised systems and conduct further malicious activities.
Cobalt Strike: A legitimate penetration testing tool widely used but also exploited by attackers to generate malicious payloads, establish C2 communication, and perform post-exploitation activities. BOF is an object file format used to extend Cobalt Strike's functionality.
DNS-over-HTTPS (DoH): A protocol that encrypts DNS queries over HTTPS connections. This can help attackers obscure their C2 server communication and evade network traffic analysis-based detection.
SharpHide: An open-source tool used to conceal processes on Windows operating systems. Attackers can leverage this to hide malicious processes and evade detection.
NOOPDOOR (HiddenFace): Another backdoor malware known to be used by MirrorFace, featuring stealth capabilities and C2 communication functionalities. Its use of DoH to hide communication is a notable characteristic.
MirrorFace's recent activities underscore the ongoing prevalence of nation-state cyber espionage and the continuous development of new techniques and tactics by attackers to breach defenses. Particularly, Japan and Taiwan, due to their geopolitically sensitive locations, are likely to remain prime targets for nation-backed threat groups.
Consequently, government and public institutions, as well as private enterprises, must heighten their awareness of cybersecurity threats, continuously monitor the latest threat intelligence, and implement enhanced security measures. It is crucial to adhere strictly to basic security practices, such as avoiding opening suspicious email attachments or links and refraining from executing programs from unknown sources. Furthermore, proactive security investments, including the adoption of a Zero Trust architecture, implementation of Multi-Factor Authentication (MFA), application of the latest security patches, and strengthening of Intrusion Detection and Prevention Systems, are necessary to enhance the ability to respond to cyberattacks.
[Copyright (c) Global Economic Times. All Rights Reserved.]
