MirrorFace and ROAMINGMOUSE: The Growing Threat of Cyber Espionage Targeting Japan and Taiwan

The threat landscape of cyber espionage continues to evolve, with state-backed actors pushing the boundaries of their activities across the globe. In March 2025, a sophisticated cyber attack linked to the nation-state actor known as MirrorFace was uncovered, targeting government agencies and public institutions in Japan and Taiwan. This attack leveraged a sophisticated malware chain, including the ROAMINGMOUSE backdoor and the ANEL malware, to infiltrate and gather sensitive information from high-value targets.

In this article, we will delve into the details of this attack, the malicious tools used, and the continued threats posed by MirrorFace and its affiliates. We will also explore the potential implications of this growing cyber espionage campaign and its significance on global security.

Cyber Espionage Campaign Uncovered

The attack attributed to MirrorFace was identified in March 2025 by cybersecurity experts at Trend Micro. The primary tool used in this operation was ROAMINGMOUSE, a backdoor malware that facilitated the installation of ANEL, a sophisticated piece of malware designed to infiltrate and control targeted systems. The campaign began with spear-phishing emails targeting specific government entities in Japan and Taiwan. These emails often appeared to be sent from legitimate but compromised accounts, containing an embedded Microsoft OneDrive link that led to a ZIP file.

Upon extraction, the ZIP file contained several malicious components, including a macro-enabled dropper named ROAMINGMOUSE. This dropper would decode another ZIP file using Base64 encoding, which contained various components crucial for the attack’s success, such as:

JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (legitimate binaries)

JSFC.dll (ANELDR)

An encrypted ANEL payload

MSVCR100.dll (a legitimate dependency)

The attackers used ROAMINGMOUSE to drop these files on the target system, eventually executing them through Windows’ explorer.exe. The goal was to sideload a malicious DLL, ANELLDR, which decrypted and launched the ANEL backdoor.

The updated ANEL malware in the March 2025 campaign included a significant enhancement—support for in-memory execution of beacon object files (BOFs). These are compiled C programs designed to extend the capabilities of the Cobalt Strike agent, adding new post-exploitation features for the attackers. The use of BOFs makes the malware more adaptable, allowing the attackers to further exploit the compromised systems and gather information.

Once installed, the malware allowed the adversaries to take screenshots, run process lists, and collect domain information from the compromised system. Additionally, SharpHide, an open-source tool, was used to deploy the NOOPDOOR backdoor, which supports DNS-over-HTTPS (DoH) to disguise its communication during command-and-control (C2) operations.

The continued use of ROAMINGMOUSE and the ANEL malware illustrates the persistent and evolving nature of MirrorFace’s attacks. The threat actor, believed to be aligned with China and also known as Earth Kasha, is assessed to be a sub-cluster within the APT10 group. MirrorFace’s operations highlight the growing scope of cyber espionage campaigns targeting sensitive governmental and institutional data, with an emphasis on stealing information that can further strategic objectives.

What Undercode Says:

MirrorFace, also known as Earth Kasha, continues to showcase the capabilities of state-sponsored cyber groups in exploiting weaknesses in digital infrastructure. The attack on Japan and Taiwan’s government entities emphasizes the high level of sophistication employed by these actors, demonstrating not only the technical proficiency but also the strategic importance of the targets chosen.

The use of ROAMINGMOUSE as a delivery mechanism is particularly noteworthy. The dropper’s ability to decode and extract files dynamically makes it a versatile tool for the attackers. This indicates a highly automated process that is scalable and capable of evading some detection measures. The reliance on legitimate system components like MSVCR100.dll further enhances the stealth of the attack, making it harder for security tools to detect the intrusion.

One of the most striking aspects of this campaign is the use of beacon object files (BOFs) for in-memory execution. This approach allows the attackers to bypass traditional file-based detection methods. It’s evident that MirrorFace is continuously evolving its tactics to stay ahead of detection and prevention efforts. The integration of Cobalt Strike’s BOFs into the malware’s execution chain adds a significant layer of complexity and adaptability to their toolkit. These features are particularly concerning because they allow the threat actors to tailor their attacks for different scenarios, increasing the chances of success.

Additionally, the use of DNS-over-HTTPS (DoH) in the deployment of NOOPDOOR represents a shift towards more covert methods of communication. By encrypting the DNS requests, the attackers make it difficult for network monitoring tools to identify malicious activity. This shows the growing sophistication of threat actors in masking their presence within a network, making detection even harder.

MirrorFace’s ongoing focus on government and public institution targets is part of a broader trend of cyber espionage campaigns aimed at stealing sensitive information. As state actors engage in more targeted campaigns, the risk to global security grows. Organizations must adopt proactive security measures and be vigilant about the evolving tactics used by these actors to prevent falling victim to similar attacks.

Fact Checker Results:

MirrorFace (Earth Kasha) has been previously associated with APT10, a known Chinese cyber espionage group.
ROAMINGMOUSE and ANEL are malware tools used in a series of advanced persistent threat (APT) attacks.
The new BOF functionality in ANEL marks an upgrade in the group’s exploitation capabilities, enhancing their ability to evade detection.

Prediction:

Given the continued use of sophisticated tools like ROAMINGMOUSE and ANEL, it is highly likely that MirrorFace will persist in targeting high-value governmental and institutional targets in Asia. With the added capabilities of DNS-over-HTTPS and in-memory execution techniques, the group will likely expand its focus to other regions with geopolitical significance. As cybersecurity defenses improve, we can expect MirrorFace to refine and adapt its tactics, using even more covert methods to achieve its espionage objectives.