Chinese Hackers Target European Diplomats with Revived Malware

Cybersecurity researchers have uncovered a significant shift in Chinese cyberespionage activities, as a threat actor known as MirrorFace (also tracked as Earth Kasha) expanded its operations beyond East Asia to target a European diplomatic organization. The campaign, detected in August 2024, utilized a refreshed version of the Anel backdoor—previously attributed to the notorious APT10 group.

APT10’s Legacy: Anel Backdoor Resurfaces

MirrorFace’s recent attack campaign raises alarms in the cybersecurity community due to its use of the Anel backdoor, also known as Uppercut. Anel had seemingly been abandoned around 2018-2019, replaced by Lodeinfo. However, the latest attack proves that Anel has not only resurfaced but has also been enhanced to evade detection.

The reappearance of Anel and similarities in hacking techniques led researchers at Eset to reclassify MirrorFace as a subgroup of APT10—a group previously linked to China’s cyberespionage operations. This discovery highlights China’s strategy of sharing tools among hacking groups to maintain persistent threats against strategic targets.

Attack Tactics: Spear Phishing and Stealthy Malware Deployment

Eset researchers found that MirrorFace launched its attack against a Central European diplomatic institute using a spear phishing campaign. The attackers leveraged the upcoming Expo 2025 in Osaka, Japan, as bait, sending an initial, non-malicious message to gain the target’s trust. Once the target responded, the attackers sent a follow-up email containing a malicious attachment disguised as an informational document about the Expo.

The attached file, named The EXPO Exhibition in Japan in 2025.docx.lnk, triggered a sophisticated infection chain when opened. This included:

• VBA Macro-Laced Word Template: A weaponized Microsoft Word template executed scripts to download additional payloads.

• DLL Side-Loading via JustSystems Corporation Executable: A signed executable from JustSystems Corporation was used to stealthily execute the Anel backdoor.

• Memory-Only Execution: The malware was AES-encrypted on disk and decrypted only in memory, significantly reducing the chances of detection.

Maintaining Persistence and Avoiding Detection

Once inside the targeted system, MirrorFace deployed its flagship backdoor, HiddenFace, while implementing multiple persistence mechanisms, including:

• Scheduled tasks and registry modifications to ensure continued access.

• Log wiping and forensic artifact removal to erase traces of the attack.

• Execution of AsyncRAT in Windows Sandbox to isolate the malware from security monitoring.

• Use of Visual Studio Code’s remote tunnels to bypass firewall restrictions and maintain stealthy access.

Additionally, researchers suspect that MirrorFace exfiltrated sensitive data, including stored credentials and network authentication details, by extracting Google Chrome's web data into an SQLite database.

Implications and Countermeasures

The resurgence of Anel and its use by MirrorFace indicates a concerning trend: China-linked cyber espionage groups are reviving and refining previously discarded tools. This evolution presents an increased risk to global diplomatic, governmental, and corporate entities.

To mitigate such threats, organizations must:

• Strengthen email security to detect and block spear phishing attempts.

• Enforce strict application controls to prevent DLL side-loading attacks.

• Implement advanced endpoint detection and response (EDR) to monitor suspicious memory execution.

• Regularly audit logs and backups to detect and recover from stealthy malware activities.

As cyber threats continue to evolve, vigilance and proactive security measures remain crucial in defending against state-sponsored cyber espionage campaigns. The attack on the European diplomatic institute serves as a stark reminder that no region is immune to sophisticated nation-state threats.