The threat actor MirrorFace has implemented a cyber espionage campaign involving malware ROAMINGMOUSE, targeting governmental and public institutions particularly in Japan and Taiwan. Detected in March 2025 by Trend Micro, this operation utilizes spear-phishing methods to deploy an updated version of the backdoor ANEL. Key elements include the subsequent deployment of NOOPDOOR and usage of a macro-enabled dropper. The campaign indicates an ongoing expansion of this China-aligned hacker group's activities for information theft, as they aim to further their strategic goals.
The nation-state threat actor known as MirrorFace has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan.
The attack starts with a spear-phishing email -- some of which are sent from legitimate-but-compromised accounts -- that contains an embedded Microsoft OneDrive URL, which, in turn, downloads a ZIP file.
Collection
[
|
...
]