“MirrorFace Expands Operations in Japan and Taiwan with Enhanced ROAMINGMOUSE and ANEL Malware Threats”

The nation-state threat actor known as MirrorFace has been observed deploying malware referred to as ROAMINGMOUSE as part of a cyber espionage campaign targeting government agencies and public institutions in Japan and Taiwan.

This activity, detected by Trend Micro in March 2025, involves the use of spear-phishing techniques to deliver an updated version of a backdoor known as ANEL. A security researcher noted that the ANEL file utilized in the 2025 campaign includes a new command designed to execute Beacon Object Files (BOF) in memory. This campaign may also leverage an open-source tool called SharpHide to facilitate the launch of a second-stage backdoor known as NOOPDOOR.

MirrorFace, aligned with China and also identified as Earth Kasha, is assessed as a sub-cluster within the APT10 group. In another instance reported in March 2025, ESET provided insights into a campaign dubbed Operation AkaiRyū, which had targeted a diplomatic organization in the European Union in August 2024, utilizing the ANEL backdoor.

The ongoing exploitation of various entities in Japan and Taiwan highlights the group’s expanding operational footprint, aiming to conduct information theft to advance strategic objectives.

The assault commences with a spear-phishing email—some sent from legitimate yet compromised accounts—containing an embedded Microsoft OneDrive URL that downloads a ZIP file. This ZIP archive houses a malware-infused Excel document along with a macro-enabled dropper named ROAMINGMOUSE, which acts as a conduit to deliver components related to the ANEL backdoor. It is important to note that ROAMINGMOUSE has been deployed by MirrorFace since the previous year.

Once activated, ROAMINGMOUSE decodes the embedded ZIP file utilizing Base64 encoding, subsequently dropping the ZIP onto disk and extracting its components. These include:

– JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (a legitimate binary)
– JSFC.dll (ANELLDR)
– An encrypted ANEL payload
– MSVCR100.dll (a legitimate DLL dependency of the executable)

The ultimate goal of the attack chain is to execute the legitimate application using explorer.exe, which then facilitates the sideloading of the malicious DLL, specifically ANELLDR, responsible for decrypting and launching the ANEL backdoor.

A significant feature of the ANEL component used in the 2025 operation is the incorporation of a command that enables in-memory execution of BOFs—compiled C programs intended to augment the Cobalt Strike agent with additional post-exploitation capabilities.

Following the installation of the ANEL file, the actors behind Earth Kasha are able to capture screenshots through backdoor commands and investigate the victim’s environment. The adversary assesses the victim’s situation by reviewing screenshots, generating process lists, and gathering domain information.

Furthermore, in select instances, an open-source tool named SharpHide has been employed to deploy a new iteration of NOOPDOOR (also known as HiddenFace), which is another backdoor previously linked to this hacking group. This implant is designed to support DNS-over-HTTPS (DoH), enabling the concealment of IP address lookups during command-and-control operations.

Earth Kasha continues to exhibit active behavior as an advanced persistent threat, now targeting governmental bodies and public institutions in Taiwan and Japan, as reflected in the latest campaign detected in March 2025.

Organizations, particularly those handling high-value assets such as sensitive governance data, intellectual property, and access credentials, must maintain heightened vigilance and implement robust security measures to guard against potential cyber threats.