MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Enhanced ANEL Malware

May 08, 2025
Malware / Cyber Espionage

The nation-state threat group MirrorFace has been detected deploying malware named ROAMINGMOUSE in a cyber espionage operation aimed at government agencies and public institutions in Japan and Taiwan. This activity, identified by Trend Micro in March 2025, involved the use of spear-phishing tactics to deliver an upgraded version of a backdoor known as ANEL. “The ANEL file from the 2025 campaign introduced a new command for executing BOF (Beacon Object File) in memory,” noted security researcher Hara Hiroaki. “Additionally, this campaign may have utilized SharpHide to initiate the second-stage backdoor, NOOPDOOR.” MirrorFace, also identified as Earth Kasha, is believed to be a subgroup of APT10. In March 2025, ESET detailed a campaign named Operation AkaiRyū, which targeted a diplomatic organization within the European Union in August 2024 using the ANEL malware (also referred to as UPPERCUT).

MirrorFace Cyber Espionage Campaign Targets Government Entities in Japan and Taiwan

May 8, 2025 – In a concerning trend in cyber warfare, the nation-state threat actor known as MirrorFace has been detected deploying a sophisticated malware variant named ROAMINGMOUSE. This campaign appears to be primarily focused on government bodies and public institutions located in Japan and Taiwan. The security firm Trend Micro uncovered this activity in March 2025, indicating a deliberate strategy centered around cyber espionage.

The campaign utilizes spear-phishing tactics to distribute an upgraded backdoor known as ANEL. According to security researcher Hara Hiroaki, the latest iteration of the ANEL malware introduced a new command facilitating the execution of a Beacon Object File (BOF) directly in memory. This sophisticated functionality enhances its stealth capabilities, allowing attackers to operate undetected within compromised systems. Additionally, there are indications that the threat actor may have utilized SharpHide to initiate a secondary backdoor known as NOOPDOOR, further increasing the threat level.

MirrorFace, also referred to as Earth Kasha, is believed to be an offshoot of the advanced persistent threat group APT10, which has a history of targeting various sectors worldwide. Earlier in 2025, another campaign named Operation AkaiRyū was publicly addressed by ESET, revealing that it had previously targeted a diplomatic organization within the European Union during August 2024 using the same malware, then identified as UPPERCUT.

The recent activity of MirrorFace raises significant alarms regarding the ongoing cybersecurity challenges faced by critical infrastructure and governmental bodies in both Japan and Taiwan. As cyber threats become increasingly sophisticated, attackers often employ techniques outlined in the MITRE ATT&CK framework, such as initial access via phishing, maintaining persistence with malware, and privilege escalation to gain deeper access within networks.

Both Japan and Taiwan, as key players in regional stability and economic innovation, must remain vigilant. In light of these developments, stakeholders in the public and private sectors alike need to bolster their cyber defenses, reinforcing their capacity to detect and respond to incidents effectively. By understanding the tactics and techniques typically used by adversaries like MirrorFace, organizations can better prepare for future threats that challenge data integrity and national security.

As the landscape of cybersecurity evolves, continuous monitoring and adaptation will be crucial for safeguarding sensitive information from advanced threats. Stakeholders should remain informed about emerging trends in malware deployment and ensure comprehensive cybersecurity strategies are implemented within their organizations. This approach will not only protect sensitive data but also contribute to the broader resilience of the cybersecurity ecosystem in the region.

Source link

Related Posts

New BPFDoor Controller Facilitates Covert Lateral Movement in Linux Server Attacks

Apr 16, 2025
Cyber Espionage / Network Security

Cybersecurity researchers have discovered a new component linked to the BPFDoor backdoor, employed in cyber attacks targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. “The controller can establish a reverse shell,” explained Trend Micro researcher Fernando Mercês in a technical report released earlier this week. “This capability permits lateral movement, enabling attackers to penetrate deeper into compromised networks and gain control over more systems or access sensitive data.” The campaign has been tentatively attributed to a threat group known as Earth Bluecrow, also referred to as DecisiveArchitect, Red Dev 18, and Red Menshen. The medium confidence level stems from the BPFDoor malware source code being leaked in 2022, suggesting it could have been adopted by other hacking entities. BPFDoor is a Linux backdoor that first emerged in…

Navigating New Cyber Threats: The Shift from Third-Party Vendors to U.S. Tariffs in Supply Chain Security

Apr 16, 2025
Artificial Intelligence / Software Security

Introduction
Cyber threats aimed at supply chains are becoming increasingly concerning for businesses across various sectors. As companies deepen their reliance on third-party vendors, cloud services, and global logistics, cybercriminals are seizing opportunities to exploit vulnerabilities in these interconnected systems. By first targeting a third-party vendor with unnoticed security flaws, attackers can establish a foothold, using these weaknesses to penetrate the networks of primary business partners. This allows them to move laterally through vital systems, ultimately accessing sensitive data, financial assets, intellectual property, or even operational controls. Recent high-profile incidents, such as the 2024 ransomware attack on Change Healthcare—one of the largest health payment processing firms—illustrate how attackers can disrupt supply chain operations and compromise millions of patients’ protected health information (PHI), stealing up to 6TB of data.