MirrorFace Leverages ANEL and NOOPDOOR in Multi-Year Cyberattacks on Japan

Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) accused a China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019.
The primary objective of the attack campaign is to steal information related to Japan's national security and advanced technology, the agencies said.
MirrorFace, also tracked as Earth Kasha, is assessed to be a sub-group within APT10. It has a track record of systematically striking Japanese entities, often leveraging tools like ANEL, LODEINFO, and NOOPDOOR (aka HiddenFace).
Last month, Trend Micro revealed details of a spear-phishing campaign that targeted individuals and organizations in Japan with an aim to deliver ANEL and NOOPDOOR. Other campaigns observed in recent years have also been directed against Taiwan and India.
According to NPA and NCSC, attacks mounted by MirrorFace have been broadly categorized into three major campaigns -
- Campaign A (From December 2019 to July 2023), targeting think tanks, governments, politicians, and media organizations using spear-phishing emails to deliver LODEINFO, NOOPDOOR, and LilimRAT (a custom version of the open-source Lilith RAT)
- Campaign B (From February to October 2023), targeting semiconductor, manufacturing, communications, academic, and aerospace sectors by exploiting known vulnerabilities in internet-facing Array Networks, Citrix, and Fortinet devices to breach networks to deliver Cobalt Strike Beacon, LODEINFO, and NOOPDOOR
- Campaign C (From June 2024), targeting academia, think tanks, politicians, and media organizations using spear-phishing emails to deliver ANEL.
The agencies also noted that they observed instances where the attackers stealthily executed the malicious payloads stored on the host computer within the Windows Sandbox and have communicated with a command-and-control server since at least June 2023.
"This method allows malware to be executed without being monitored by antivirus software or EDR on the host computer, and when the host computer is shut down or restarted, traces in the Windows Sandbox are erased, so evidence is not left behind," the NPA and NCSC said.
Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection
Microsoft fixes bug causing Outlook freezes when copying text
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
HighPath Traversal
MediumBackup File Disclosure
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
InformationalSec-Fetch-Dest Header Has an Invalid Value
InformationalBase64 Disclosure
Free online web security scanner