ROAMINGMOUSE Malware
A nation-state threat actor known as MirrorFace has recently been linked to cyber espionage campaigns targeting government agencies and public institutions in Japan and Taiwan. This actor, aligned with China and also known as Earth Kasha, operates as a sub-cluster within APT10. As of March 2025, security researchers revealed new details about the group's activities, including their use of advanced malware tools for espionage.
Table of Contents
Operation AkaiRyū: A Previous Attack Uncovered
In addition to the ongoing operations in Japan and Taiwan, Earth Kasha was also behind Operation AkaiRyū, a cyber attack aimed at a diplomatic organization in the European Union in August 2024. This operation involved the deployment of the ANEL backdoor, also known as UPPERCUT, highlighting the actor's sophisticated tactics in gaining unauthorized access to sensitive targets.
Attack Strategy: A Deceptive Chain of Malware
The MirrorFace operation begins with spear-phishing emails, some sent from compromised legitimate accounts. These emails contain a corrupted Microsoft OneDrive URL that, once clicked, downloads a ZIP file. Inside the ZIP archive, an Excel document and a macro-enabled dropper codenamed ROAMINGMOUSE serves as the delivery vehicle for the malware. ROAMINGMOUSE, used by MirrorFace since last year, decodes and drops an additional ZIP file, which contains several malicious components.
Key Components of the Malware Drop:
- JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe: Legitimate binaries
- JSFC.dll (ANELLDR): A malicious DLL
- Encrypted ANEL Payload: The main backdoor
- MSVCR100.dll: A legitimate DLL dependency
Once dropped, the malware uses explorer.exe to launch a legitimate executable, sideloading the ANEL backdoor through the fraudulent DLL, ANELLDR.
Enhanced Features in ANEL: A New Era of Cyber Espionage
The ANEL backdoor used in the 2025 campaign includes a significant upgrade: a new command that supports in-memory execution of Beacon Object Files (BOFs). BOFs are small C programs designed to extend the capabilities of the Cobalt Strike agent, enhancing post-exploitation features. Once installed, the backdoor enables Earth Kasha to take screenshots, examine the victim's environment, and gather process lists and domain information for further exploitation.
Leveraging SharpHide and NOOPDOOR
In some instances, the threat actors behind Earth Kasha have utilized SharpHide, an open-source tool, to launch a new version of the NOOPDOOR backdoor (also known as HiddenFace). This backdoor has been designed to evade detection by supporting DNS-over-HTTPS (DoH), which helps conceal the IP address lookups used for Command-and-Control (C2) communication.
Ongoing Threat and Vigilance Needed
Earth Kasha remains an active and persistent threat targeting high-value assets, including sensitive government data, intellectual property, and access credentials. Enterprises and organizations, particularly those in sectors related to governance and infrastructure, must continue to implement robust cybersecurity measures to guard against such advanced, persistent attacks.
