**China-Linked Hackers Target Government Agencies in Japan and Taiwan Using Stealthy Malware**
A sophisticated cyber-espionage campaign has targeted government agencies in Japan and Taiwan, with threat actors deploying a new Excel-based malware dropper named ROAMINGMOUSE. Security researchers have linked the attack to the China-affiliated group MirrorFace (also known as Earth Kasha), a threat actor known for past operations against Japan.
The attack begins with a phishing email containing a legitimate OneDrive link, leading to a ZIP file disguised as a benign document. Once opened, the file executes ROAMINGMOUSE, which stealthily installs an upgraded version of the ANEL backdoor. In some cases, another advanced backdoor called NOOPDOOR (also known as HiddenFace) is also deployed for persistent access and data exfiltration.
ROAMINGMOUSE uses several evasion techniques, including sandbox detection via mouse movement and custom encoding to conceal its payloads. The upgraded ANEL backdoor offers enhanced capabilities, such as privilege escalation, screenshot capture, and command execution through cmd.exe.
The campaign, which began in mid-2024, has primarily targeted individuals connected to national security and political institutions, exploiting weaker personal cybersecurity measures. Analysts believe the motivation behind the attack is strategic espionage and intelligence gathering.
Authorities urge heightened vigilance, improved endpoint protection, and regular monitoring for signs of compromise to defend against this ongoing threat.