MirrorFace Espionage Campaign Zeroes in on Japan and Taiwan
A suspected nation-state hacking group, tracked as MirrorFace, is actively targeting government and public sector organizations in Japan and Taiwan. The group is leveraging a cyber espionage campaign, deploying malware known as ROAMINGMOUSE and an updated variant of their ANEL malware to steal sensitive information.
The cyber espionage group known as MirrorFace is at it again. This time, they're deploying malware called ROAMINGMOUSE against government agencies and public institutions in Japan and Taiwan. What's the scoop?
Trend Micro spotted this activity back in March 2025. It looks like the attackers are using spear-phishing emails to deliver an updated version of a backdoor called ANEL.
According to security researcher Hara Hiroaki, "The ANEL file from the 2025 campaign...implemented a new command to support an execution of BOF (Beacon Object File) in memory." He also noted that they might be using SharpHide to launch a second-stage backdoor called NOOPDOOR. Read the full report here.
MirrorFace, also known as Earth Kasha, is thought to be part of the larger APT10 group. ESET previously reported on a campaign dubbed Operation AkaiRyƫ, which targeted a diplomatic organization in the EU with ANEL (aka UPPERCUT) back in August 2024. Check out the details.
Targeting Japanese and Taiwanese organizations suggests MirrorFace is expanding its reach. They're likely after information to advance their strategic objectives. So, how does the attack work?
It all starts with a spear-phishing email. Some of these emails are even being sent from legitimate, but compromised, accounts. The email contains a link to a Microsoft OneDrive URL, which downloads a ZIP file. Inside this ZIP file is where the trouble really begins.
The ZIP archive contains a malicious Excel document and a macro-enabled dropper called ROAMINGMOUSE. ROAMINGMOUSE has been used by MirrorFace since last year, and it acts as a delivery mechanism for ANEL components.
Hiroaki explains, "ROAMINGMOUSE then decodes the embedded ZIP file...drops the ZIP on a disk, and expands its components." These components include:
- JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (a legitimate binary)
- JSFC.dll (ANELLDR)
- An encrypted ANEL payload
- MSVCR100.dll (a legitimate DLL dependency of the executable)
The ultimate goal is to launch the legitimate executable using explorer.exe and then use it to sideload the malicious DLL, ANELLDR. This DLL decrypts and launches the ANEL backdoor. Sneaky, right?
A key feature of the ANEL artifact used in this 2025 campaign is a new command that supports the in-memory execution of beacon object files (BOFs). These are compiled C programs that extend the capabilities of the Cobalt Strike agent.
Trend Micro notes that "After installing the ANEL file, actors behind Earth Kasha obtained screenshots using a backdoor command and examined the victim's environment." They're essentially snooping around, gathering information through screenshots, process lists, and domain information.
In some cases, the attackers have also used an open-source tool called SharpHide to launch a new version of NOOPDOOR (aka HiddenFace). This backdoor supports DNS-over-HTTPS (DoH) to hide its IP address lookups during command-and-control (C2) operations.
As Hiroaki emphasizes, "Earth Kasha continues to be an active advanced persistent threat and is now targeting government agencies and public institutions in Taiwan and Japan in its latest campaign which we detected in March 2025."
So, what can you do? Hiroaki advises, "Enterprises and organizations...should continue to be vigilant and implement proactive security measures to prevent falling victim to cyber attacks." That means staying alert, patching systems, and training employees to spot those phishing emails!
