Ethical Hacking News
Earth Kasha, a Chinese hack group, has deployed ROAMINGMOUSE malware as part of a cyber espionage campaign targeting government agencies and public institutions in Japan and Taiwan. This complex attack highlights the growing sophistication of nation-state actors and emphasizes the need for organizations to implement proactive security measures.
The cybersecurity landscape has seen numerous high-profile attacks, with nation-state actors playing a significant role.Earth Kasha or MirrorFace is a threat actor deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign.The attack involved spear-phishing lures to deliver an updated version of a backdoor called ANEL.ROAMINGMOUSE decodes and executes malicious components, including JSLNTOOL.exe and JSFC.dll, which is responsible for decrypting and launching the ANEL backdoor.The attack featured advanced persistent threat (APT) techniques, including in-memory execution of beacon object files.Earth Kasha's campaign highlights the importance of proactive security measures for enterprises and organizations operating in Japan and Taiwan.
The cybersecurity landscape has witnessed numerous high-profile attacks in recent times, with nation-state actors playing an increasingly significant role. One such threat actor, known as Earth Kasha or MirrorFace, has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan. This article aims to delve into the details of this sophisticated attack, exploring the tactics, techniques, and procedures (TTPs) employed by Earth Kasha and highlighting the implications for organizations operating in the region.
According to Trend Micro, the activity detected in March 2025 involved the use of spear-phishing lures to deliver an updated version of a backdoor called ANEL. The campaign, referred to as Operation AkaiRyū, targeted a diplomatic organization in the European Union in August 2024 with ANEL (aka UPPERCUT). This marked a significant escalation in Earth Kasha's activities, highlighting their growing sophistication and reach.
The attack starts with a spear-phishing email — some of which are sent from legitimate-but-compromised accounts — that contains an embedded Microsoft OneDrive URL, which, in turn, downloads a ZIP file. The ZIP archive includes a malware-laced Excel document, and a macro-enabled dropper codenamed ROAMINGMOUSE that serves as a conduit to deliver components related to ANEL. Notably, ROAMINGMOUSE has been employed by MirrorFace since last year.
Upon execution, ROAMINGMOUSE decodes the embedded ZIP file using Base64, drops it on a disk, and expands its components. This includes JSLNTOOL.exe, JSTIEE.exe, or JSVWMNG.exe (a legitimate binary), JSFC.dll (ANELLDR), an encrypted ANEL payload, and MSVCR100.dll (a legitimate DLL dependency of the executable). The end goal of the attack chain is to launch the legitimate executable using explorer.exe and then use it to sideload the malicious DLL, in this case, ANELLDR, which is responsible for decrypting and launching the ANEL backdoor.
The ANEL artifact used in the 2025 campaign features an added command to support in-memory execution of beacon object files (BOFs), compiled C programs designed to extend the Cobalt Strike agent with new post-exploitation features. This highlights Earth Kasha's efforts to stay at the forefront of advanced persistent threat (APT) techniques.
"After installing the ANEL file, actors behind Earth Kasha obtained screenshots using a backdoor command and examined the victim's environment," Trend Micro explained. "The adversary appears to investigate the victim by looking through screenshots, running process lists, and domain information."
This campaign underscores the importance of proactive security measures for enterprises and organizations in Japan and Taiwan. Organizations should remain vigilant and implement robust security protocols to prevent falling victim to cyber attacks.
Earth Kasha continues to be an active advanced persistent threat, targeting government agencies and public institutions in Taiwan and Japan in its latest campaign. Enterprises and organizations operating in these regions are advised to stay proactive in their security strategies, ensuring they implement measures to prevent falling victim to Earth Kasha's sophisticated tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/Earth-Kasha-The-Chinese-Hackers-Behind-a-Sophisticated-Cyber-Espionage-Campaign-Targeting-Japan-and-Taiwan-ehn.shtml
https://thehackernews.com/2025/05/mirrorface-targets-japan-and-taiwan.html
https://attack.mitre.org/software/S0275/
Published: Thu May 8 07:53:17 2025 by llama3.2 3B Q4_K_M
