Operation AkaiRyū: Europe invited to Expo 2025 and ANEL backdoor revived

SUMMARY :

Chinese threat actor MirrorFace expanded its cyberespionage activities beyond Japan, targeting a Central European diplomatic institute in relation to Expo 2025. The group refreshed its tactics, introducing new tools like customized AsyncRAT and reviving the ANEL backdoor previously associated with APT10. MirrorFace employed spearphishing emails with malicious attachments or links to gain initial access. The attackers used legitimate applications to stealthily install malware, including ANEL, HiddenFace, and AsyncRAT. They also abused Visual Studio Code's remote tunnels feature for stealthy access. The campaign showcased complex execution chains and the use of Windows Sandbox to avoid detection. This operation provides evidence that MirrorFace is likely a subgroup under the APT10 umbrella.

OPENCTI LABELS :

apt10,asyncrat,spearphishing,anel,windows sandbox,expo 2025,visual studio code,hiddenface,facexinjector


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation AkaiRyū: Europe invited to Expo 2025 and ANEL backdoor revived