The nation-state threat actor known as MirrorFace has been observed deploying a new malware strain, ROAMINGMOUSE, as part of an ongoing cyber espionage campaign targeting government agencies and public institutions in Japan and Taiwan. This campaign, detected by Trend Micro in March 2025, involves spear-phishing attacks designed to deliver an updated version of the ANEL backdoor.
ROAMINGMOUSE Malware Delivers Advanced Backdoor Components
The attacks begin with spear-phishing emails, some of which are sent from legitimate but compromised accounts. These emails contain a Microsoft OneDrive link, which, when clicked, leads to the download of a ZIP file. Inside the archive is a malicious Excel document containing a macro-enabled dropper, codenamed ROAMINGMOUSE, that delivers various components of the ANEL backdoor.
ROAMINGMOUSE decodes the embedded ZIP file using Base64 encoding, extracts its contents, and then drops several files, including:
- JSLNTOOL.exe, JSTIEE.exe, JSVWMNG.exe (legitimate binaries)
- JSFC.dll (ANELLDR, a malicious DLL)
- An encrypted ANEL payload
- MSVCR100.dll (a legitimate DLL dependency)
The goal of the attack chain is to sideload the ANEL backdoor by using Explorer.exe to execute the legitimate executable. This triggers the loading of the ANELLDR DLL, which decrypts and activates the ANEL backdoor.
Enhanced Functionality with Beacon Object Files
The ANEL backdoor used in the 2025 campaign has been enhanced with a new command that allows for the execution of Beacon Object Files (BOFs) in memory. These BOFs, which are compiled C programs, extend the functionality of the Cobalt Strike agent, adding advanced post-exploitation features. After the ANEL backdoor is deployed, the threat actor behind the attack is able to take screenshots, run process lists, and examine domain information from the compromised system.
The attackers have also leveraged an open-source tool called SharpHide, which helps launch the NOOPDOOR backdoor (also known as HiddenFace). NOOPDOOR is equipped with DNS-over-HTTPS (DoH) capabilities to obscure its command-and-control (C2) traffic by concealing IP address lookups. This makes the attack more difficult to detect and analyze.
MirrorFace, also referred to as Earth Kasha, is believed to be a sub-cluster within the APT10 group. This latest campaign marks an expansion of its activities, targeting Japanese and Taiwanese organizations. These attacks highlight the group’s continued focus on cyber espionage, with the aim of stealing sensitive information to further its strategic objectives.
Proactive Measures to Defend Against MirrorFace Attacks
To protect against these types of attacks, enterprises and organizations, particularly those holding valuable assets like sensitive governance data, intellectual property, and infrastructure information, must implement proactive security measures. This includes advanced threat detection systems, user training to identify phishing attempts, and regularly updating software to patch vulnerabilities that could be exploited by attackers.
MirrorFace’s use of ROAMINGMOUSE and its deployment of advanced tools like BOFs and SharpHide signify a growing sophistication in cyber espionage campaigns. As the threat landscape continues to evolve, it is crucial for organizations to stay vigilant and prioritize cybersecurity to safeguard critical assets against these advanced persistent threats.
