MirrorFace Hackers Modify AsyncRAT Execution for Stealthy Deployment in Windows Sandbox

In a significant development, the China-aligned advanced persistent threat (APT) group known as MirrorFace has been observed employing sophisticated tactics to enhance the stealthiness of its attacks.

Recently, MirrorFace modified the execution of AsyncRAT, a publicly available remote access trojan (RAT), to run it inside Windows Sandbox, thereby evading detection by security controls.

This approach is part of a broader campaign, dubbed Operation AkaiRyū, which marks a notable expansion of MirrorFace’s activities beyond its traditional focus on Japan.

Enhanced Stealth and Execution Techniques

MirrorFace’s use of a customized AsyncRAT variant involves embedding it in a complex execution chain that leverages Windows Sandbox.

This sandbox environment allows the RAT to operate without leaving traces in the main system, making it challenging for security tools to detect.

The AsyncRAT variant is heavily customized with features such as sample tagging, connection to command and control (C&C) servers via Tor, and a domain generation algorithm (DGA) for generating machine-specific domains.

These modifications enable MirrorFace to maintain persistence and control over compromised systems while minimizing the risk of detection.

In addition to AsyncRAT, MirrorFace has also revived the use of ANEL, a backdoor previously associated with APT10.

According to ESET Report, this move suggests a potential connection between MirrorFace and APT10, with some researchers now considering MirrorFace a subgroup under the APT10 umbrella.

The deployment of ANEL as a first-line backdoor indicates a strategic shift in MirrorFace’s tactics, techniques, and procedures (TTPs).

Furthermore, MirrorFace has been using Visual Studio Code’s remote tunnels feature to establish stealthy access to compromised machines, execute arbitrary code, and deliver additional tools.

Operation AkaiRyū and Expanded Targets

Operation AkaiRyū, which began in mid-2024, targeted a Central European diplomatic institute, marking the first known instance of MirrorFace attacking a European entity.

The operation utilized spearphishing emails referencing Expo 2025 in Osaka, Japan, to lure targets into opening malicious attachments.

This campaign highlights MirrorFace’s ability to adapt its tactics while maintaining a focus on events related to Japan.

The group’s post-compromise activities included deploying a range of tools, such as PuTTY, VS Code, and HiddenFace, to maintain persistence and gather sensitive information.

The collaboration with the affected diplomatic institute provided valuable insights into MirrorFace’s post-compromise activities, revealing a sophisticated approach to maintaining stealth and achieving objectives.

Despite these advancements, MirrorFace’s operational security improvements have made it more challenging for investigators to gather comprehensive data on its activities.

The use of Windows Sandbox and other evasion techniques underscores the evolving nature of cyber threats and the need for enhanced security measures to counter such sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.