Update: MirrorFace Expands Targeting with Operation AkaiRyū, Deploys Revived ANEL Backdoor
Cybersecurity researchers have uncovered a new malware campaign by the China-linked MirrorFace group, Operation AkaiRyū, targeting a diplomatic organization in Central Europe. While MirrorFace, also called Earth Kasha, has historically focused on Japanese entities, this expansion into Europe marks a shift in its operations. The attack, detected by ESET in August 2024, used spear-phishing lures referencing the upcoming World Expo in Osaka, Japan, to infect its target with a heavily modified AsyncRAT and the ANEL backdoor (aka UPPERCUT). This is significant because ANEL has been largely abandoned since 2019, suggesting that MirrorFace has moved away from using LODEINFO, which was not observed in any of its campaigns throughout 2024 and 2025. The attack relied on DLL side-loading techniques to deploy ANEL and HiddenFace (NOOPDOOR), a modular backdoor exclusively used by MirrorFace. The group also leveraged Visual Studio Code Remote Tunnels, a tool increasingly favored by Chinese state-sponsored hackers for stealthy access to compromised systems. The campaign overlaps with Japan’s "Campaign C" investigation, suggesting broader espionage efforts against governmental and diplomatic organizations. MirrorFace has also demonstrated stronger operational security, wiping delivered tools, clearing Windows event logs, and executing malware inside Windows Sandbox to prevent forensic analysis. Despite these efforts, researchers continue to track its evolving tactics, highlighting the growing sophistication of Chinese-linked cyber espionage.
BADBOX 2.0: The Largest Connected TV Botnet Uncovered, Used for Ad Fraud and Cybercrime
A large-scale cybercrime operation known as BADBOX 2.0 has been uncovered, involving four interconnected threat groups—SalesTracker Group, MoYu Group, Lemon Group, and LongTV. This operation, the largest botnet of infected connected TV (CTV) devices ever recorded, exploits low-cost Android-based devices through pre-installed backdoors and trojanized apps. The BB2DOOR malware is based on the Triada Android malware and is delivered through supply chain compromises, remote downloads on first boot, or more than 200 trojanized apps from third-party stores. Once infected, these devices are used for hidden ad fraud, automated ad clicks, residential proxy services, and cybercrime operations, affecting over one million devices globally. The infected devices, primarily cheap Android tablets, digital projectors, and car infotainment systems, are controlled by a cooperative network of cybercriminals who use them to generate fraudulent ad revenue, conduct account takeovers, and distribute malware. Attempts to disrupt BADBOX 2.0 have had partial success, with a number of its domains being sinkholed and Google removing 24 malicious apps from the Play Store following a prior takedown of infrastructure by the German government in December 2024. However, the malware continues evolving, with attackers modifying legitimate Android libraries to maintain persistence and evade detection. MoYu Group manages residential proxy services built on infected devices, Lemon Group oversees HTML5 game-based ad fraud, and LongTV, a Malaysian media company, runs "evil twin" ad fraud techniques to manipulate revenues. Researchers have also identified overlaps between BB2DOOR and Vo1d malware, which targets explicitly off-brand Android TV boxes, suggesting broader cybercriminal collaboration. With its ability to be repurposed for DDoS attacks, credential theft, and other cyber threats, BADBOX 2.0 demonstrates the growing dangers posed by large-scale botnets exploiting supply chain vulnerabilities and compromised consumer devices.
StilachiRAT: A Stealthy Trojan Targeting Credentials, Cryptocurrency, and System Access
Microsoft has uncovered StilachiRAT, a newly identified remote access trojan (RAT) designed to evade detection, persist within systems, and steal sensitive data. Discovered in November 2024, the malware operates through a DLL module named WWStartupCtrl64[.]dll and has yet to be attributed to a known threat actor. StilachiRAT can harvest credentials stored in browsers, steal cryptocurrency wallet information, monitor clipboard activity, and collect extensive system details, including hardware identifiers, active RDP sessions, and running applications. It also tracks foreground window activity, enabling attackers to clone security tokens, impersonate logged-in users, and move laterally within compromised networks. The malware’s command-and-control (C2) communication allows it to execute system commands remotely, launch applications, establish network connections, clear event logs, and even force system shutdowns through undocumented Windows API functions. StilachiRAT employs advanced anti-forensic techniques to prevent detection, including clearing Windows event logs, monitoring for analysis tools, and running in sandbox-aware environments to hinder malware research. It is also engineered to obfuscate its API calls and dynamically resolve checksums at runtime, making traditional detection methods ineffective. Attackers use the RAT to steal credentials, exfiltrate data, and establish long-term access to compromised systems through watchdog threads that automatically reinstall the malware if removed. While the initial infection vector remains unknown, its functionality suggests multiple potential delivery methods, including malicious email attachments, software exploits, and trojanized applications. Microsoft warns that the malware’s capabilities extend beyond data theft, as it can also be used for espionage, remote system manipulation, and possibly further cyberattacks, making it a significant emerging threat.
