<— Back

Behind the MirrorFace mask: LODEINFO malware interfering with Japanese elections

In the weeks leading up to the Japanese House of Councillors election in July 2022, the APT group that ESET researchers track as MirrorFace launched a spearphishing campaign against Japanese political entities. Impersonating the Liberal Democratic Party’s PR department, the malicious actors prompted email recipients – among them party members – to spread attached videos on social media on behalf of Fumio Kishida, the party’s president. Not recognizing the malicious nature of the attachments, which were actually Windows executables, some recipients even unintentionally helped the threat actor to spread the emails by forwarding them to other party members. Once the email attachment was opened, LODEINFO malware – in use since 2019 and exclusively against Japanese entities – was executed, opening the door for the threat actor to move to the next stage of the attack.

In our presentation, we will introduce the audience to the MirrorFace APT group, a threat actor exclusively targeting Japanese entities with the LODEINFO malware. Then, we will move on to a detailed description of the campaign against Japanese political entities. In the process, we will unearth MirrorFace tactics and procedures that haven’t been published in detail before. We will close up the presentation by describing the evolution of the LODEINFO malware over the past few years by pointing out the changes in the malware’s capabilities.

Dominik Breitenbacher

Dominik is a malware researcher at ESET. Coming from academia, Dominik joined ESET in 2019 to track activities of APT groups. In particular, Dominik tracks Kimsuky, Operation In(ter)ception and MirrorFace. In his spare time, Dominik plays video games and watches bad movies.