China-Linked MirrorFace Expands Espionage Campaign with ANEL Backdoor in Operation AkaiRyū
Threat researchers have uncovered fresh details about a previously identified cyber espionage campaign carried out by the China-affiliated MirrorFace hacking group, which recently targeted a diplomatic organization within the European Union.
New Insights Into MirrorFace’s Latest Cyber Espionage Efforts
Threat researchers have uncovered fresh details about a previously identified cyber espionage campaign carried out by the China-affiliated MirrorFace hacking group, which recently targeted a diplomatic organization within the European Union. The campaign, detected by ESET in late August 2024, leveraged a backdoor known as ANEL to infiltrate a Central European diplomatic institute, using World Expo-themed phishing lures related to the upcoming Osaka 2025 event.
Dubbed Operation AkaiRyū (Japanese for RedDragon), this campaign represents a significant shift for MirrorFace, also known as Earth Kasha, which has traditionally focused on Japanese organizations. The attack is further notable for the return of ANEL (aka UPPERCUT)—a backdoor previously linked to APT10 that had seemingly fallen out of use after 2019.
A Departure from LODEINFO to ANEL
MirrorFace has long been associated with LODEINFO, a malware used in previous cyber operations. However, ESET researchers noted that LODEINFO has not been observed in use throughout 2024 or 2025, suggesting that MirrorFace has fully transitioned to ANEL for its backdoor operations.
ESET's Dominik Breitenbacher told The Hacker News:
"We don’t know the exact reason for the switch, but it appears that MirrorFace has abandoned LODEINFO in favor of ANEL for now."
New Tactics and Expanded Targeting
Operation AkaiRyū also shares overlaps with Campaign C, a separate series of cyberattacks reported by Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) in January 2025. Those attacks, active since June 2024, primarily targeted academia, think tanks, politicians, and media organizations.
Key tactical shifts in this latest MirrorFace campaign include:
???? Use of a modified AsyncRAT variant to enhance remote access.
???? Exploitation of Visual Studio Code Remote Tunnels—a stealthy access technique increasingly favored by Chinese APT groups.
???? Deployment of ANELLDR—a loader component that executes ANEL via DLL side-loading.
???? Introduction of a secondary modular backdoor named HiddenFace (aka NOOPDOOR), which appears to be exclusive to MirrorFace operations.
Evasion and Operational Security
MirrorFace has demonstrated improved operational security, making it harder for researchers to fully analyze their activities. The group employs multiple anti-forensic techniques, including:
✅ Deleting delivered tools and malware files post-infection.
✅ Clearing Windows event logs to remove traces of activity.
✅ Executing malware within Windows Sandbox to limit forensic analysis.
Conclusion
Operation AkaiRyū highlights MirrorFace’s evolving tactics and growing global reach, signaling a departure from its Japan-centric focus. With the revival of ANEL, the use of stealthier access techniques, and an improved ability to evade detection, the China-aligned threat actor remains a persistent cyber espionage threat to governmental, diplomatic, and research entities worldwide.
