Cyber Security News

MirrorFace Hackers Modify AsyncRAT Execution for Stealthy Deployment in Windows Sandbox

In a significant development, the China-aligned advanced persistent threat (APT) group known as MirrorFace has been observed employing sophisticated tactics to enhance the stealthiness of its attacks.

Recently, MirrorFace modified the execution of AsyncRAT, a publicly available remote access trojan (RAT), to run it inside Windows Sandbox, thereby evading detection by security controls.

This approach is part of a broader campaign, dubbed Operation AkaiRyū, which marks a notable expansion of MirrorFace’s activities beyond its traditional focus on Japan.

Enhanced Stealth and Execution Techniques

MirrorFace’s use of a customized AsyncRAT variant involves embedding it in a complex execution chain that leverages Windows Sandbox.

AsyncRAT ExecutionAsyncRAT Execution
AsyncRAT execution chain

This sandbox environment allows the RAT to operate without leaving traces in the main system, making it challenging for security tools to detect.

The AsyncRAT variant is heavily customized with features such as sample tagging, connection to command and control (C&C) servers via Tor, and a domain generation algorithm (DGA) for generating machine-specific domains.

These modifications enable MirrorFace to maintain persistence and control over compromised systems while minimizing the risk of detection.

In addition to AsyncRAT, MirrorFace has also revived the use of ANEL, a backdoor previously associated with APT10.

According to ESET Report, this move suggests a potential connection between MirrorFace and APT10, with some researchers now considering MirrorFace a subgroup under the APT10 umbrella.

The deployment of ANEL as a first-line backdoor indicates a strategic shift in MirrorFace’s tactics, techniques, and procedures (TTPs).

Furthermore, MirrorFace has been using Visual Studio Code’s remote tunnels feature to establish stealthy access to compromised machines, execute arbitrary code, and deliver additional tools.

Compromise chain

Operation AkaiRyū and Expanded Targets

Operation AkaiRyū, which began in mid-2024, targeted a Central European diplomatic institute, marking the first known instance of MirrorFace attacking a European entity.

The operation utilized spearphishing emails referencing Expo 2025 in Osaka, Japan, to lure targets into opening malicious attachments.

This campaign highlights MirrorFace’s ability to adapt its tactics while maintaining a focus on events related to Japan.

The group’s post-compromise activities included deploying a range of tools, such as PuTTY, VS Code, and HiddenFace, to maintain persistence and gather sensitive information.

The collaboration with the affected diplomatic institute provided valuable insights into MirrorFace’s post-compromise activities, revealing a sophisticated approach to maintaining stealth and achieving objectives.

Despite these advancements, MirrorFace’s operational security improvements have made it more challenging for investigators to gather comprehensive data on its activities.

The use of Windows Sandbox and other evasion techniques underscores the evolving nature of cyber threats and the need for enhanced security measures to counter such sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score of…

5 hours ago

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux, and…

5 hours ago

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security Features…

5 hours ago

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed in…

6 hours ago

Radware Cloud Web App Firewall Flaw Allows Attackers to Bypass Security Filters

Security researchers have uncovered two critical vulnerabilities in Radware’s Cloud Web Application Firewall (WAF) that…

6 hours ago

ESET Reveals How to Spot Fake Calls Demanding Payment for ‘Missed Jury Duty’

ESET, a leading cybersecurity firm, has shed light on one particularly insidious scheme: fake calls…

6 hours ago