OTX Bot<p>Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan</p><p>Earth Kasha, an APT group believed to be part of APT10, has launched a new campaign in March 2025 targeting government agencies and public institutions in Taiwan and Japan. The campaign uses spear-phishing to deliver an updated version of the ANEL backdoor, potentially for espionage purposes. Key updates include a new command to support BOF execution in memory and the use of SharpHide for persistence. The second-stage backdoor, NOOPDOOR, now supports DNS over HTTPS for C&C communications. The attack chain involves compromised email accounts, malicious Excel files, and various evasion techniques. This campaign demonstrates Earth Kasha's continued evolution and poses significant geopolitical implications.</p><p>Pulse ID: 6813da43537c3d86e6ba3ca2<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/6813da43537c3d86e6ba3ca2" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/6813d</span><span class="invisible">a43537c3d86e6ba3ca2</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-05-01 20:32:02</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/APT10" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>APT10</span></a> <a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackDoor</span></a> <a href="https://social.raytec.co/tags/CandC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CandC</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/DNS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DNS</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Espionage</span></a> <a href="https://social.raytec.co/tags/Excel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Excel</span></a> <a href="https://social.raytec.co/tags/Government" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Government</span></a> <a href="https://social.raytec.co/tags/HTTP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTTP</span></a> <a href="https://social.raytec.co/tags/HTTPS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HTTPS</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Japan" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Japan</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/SpearPhishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SpearPhishing</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
216active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#apt10
0 posts · 0 participants · 0 posts today
ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> has uncovered the <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> Operation AkaiRyū, which extends the group’s usual focus beyond Japan into Europe. The initial lure centered around Expo 2025 in Japan, compromising a Central European diplomatic institute. <br><a href="https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/</span></a></p><p>Surprisingly, <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> used <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANEL</span></a> – a backdoor historically linked only to <a href="https://infosec.exchange/tags/APT10" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>APT10</span></a> – highlighting a shift in the group’s tactics and reinforcing suspicions that MirrorFace could be part of the APT10 umbrella.<br>Operation AkaiRyū began with targeted spearphishing emails referencing the victim’s past correspondence and Expo 2025 , persuading recipients to download malicious attachments. <br>Once the files were opened, a layered compromise chain ensued . Collaborating with the victim allowed us to perform in-depth analysis, shedding light on MirrorFace’s post-compromise behavior – from credential harvesting to dropping additional tools for lateral movement. </p><p><a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> used an intricate execution chain to stealthily run a highly tweaked <a href="https://infosec.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AsyncRAT</span></a> within <a href="https://infosec.exchange/tags/WindowsSandbox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>WindowsSandbox</span></a>, hampering detection efforts. This is the first time we’ve seen MirrorFace employ AsyncRAT.<br>In another twist, <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> utilized <a href="https://infosec.exchange/tags/VSCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>VSCode</span></a> remote tunnels, a tactic enabling covert access and command execution on compromised machines. This approach has also been seen with other China-aligned cyberespionage groups.<br>The group primarily leveraged <a href="https://infosec.exchange/tags/ANEL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANEL</span></a> as a first-stage backdoor, <a href="https://infosec.exchange/tags/HiddenFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HiddenFace</span></a> – MirrorFace’s flagship backdoor – was dropped later in the attack to bolster persistence . Notably absent this time was <a href="https://infosec.exchange/tags/LODEINFO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LODEINFO</span></a>, which <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> typically employs.</p><p>We presented our findings about Operation AkaiRyū conducted by <a href="https://infosec.exchange/tags/MirrorFace" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MirrorFace</span></a> at @jpcert_ac on January 22, 2025: <a href="https://jsac.jpcert.or.jp" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">jsac.jpcert.or.jp</span><span class="invisible"></span></a>.<br>IoCs available in our GitHub repo: <a href="https://github.com/eset/malware-ioc/tree/master/mirrorface" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/mirrorface</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload