1. Home
  2. Software
  3. LODEINFO

LODEINFO

LODEINFO is a fileless backdoor malware first identified in 2020 that has been used by actors including MirrorFace, primarily against media, diplomatic, governmental, and public sector organizations in Japan.[1][2][3]

ID: S9020
Type: MALWARE
Platforms: Windows
Contributors: Dominik Breitenbacher, ESET
Version: 1.0
Created: 17 April 2026
Last Modified: 24 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LODEINFO has used Registry run keys to set persistence.[3][4]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

LODEINFO can use VBA to drop malicious components on targeted hosts.[1]
Enterprise T1486 Data Encrypted for Impact

LODEINFO can incorporate a ransom command to encrypt specified files and folders.[5][3][2]
Enterprise T1005 Data from Local System

LODEINFO can upload files from infected hosts to the C2.[5][3][2]
Enterprise T1001 .001 Data Obfuscation: Junk Data

LODEINFO can append C2 communication with randomly generated junk data.[5][3]
Enterprise T1074 .001 Data Staged: Local Data Staging

LODEINFO has collected stolen web cookies locally in the %TEMP% folder.[3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LODEINFO can encrypt C2 communication with a hardcoded (NV4HDOeOVyL) Vigenere cipher key.[5]
Enterprise T1480 Execution Guardrails

LODEINFO can halt execution if the "en_US" locale is identified on a victim's machine.[5]
Enterprise T1041 Exfiltration Over C2 Channel

LODEINFO can exfiltrate collected credentials and browser cookies to the C2 server.[3]
Enterprise T1083 File and Directory Discovery

LODEINFO has the ability to designate specific files and folders to encryption.[3][2]
Enterprise T1574 .001 Hijack Execution Flow: DLL

LODEINFO can use legitimate EXE files to sideload malicious DLLs.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

LODEINFO can delete files to remove traces of activity from victim systems.[2]
Enterprise T1105 Ingress Tool Transfer

LODEINFO has the ability to download additional files from the C2.[5][3][2]
Enterprise T1056 .001 Input Capture: Keylogging

LODEINFO can capture keystrokes on targeted systems.[3][2][4]
Enterprise T1106 Native API

LODEINFO can use Windows APIs such as VirtualAllocEx(), WriteProcessMemory(), CreateRemoteThread(), NtAllocateVirtualMemory(), NtWriteVirtualMemory(), and RtlCreateUserThread() to enable memory injection of shellcode.[5]
Enterprise T1027 Obfuscated Files or Information

LODEINFO has used control flow flattening to obfuscate code.[2]
.007 Dynamic API Resolution

LODEINFO can use a hashing algorithm to dynamically resolve API function addresses.[5]
.013 Encrypted/Encoded File

The LODEINFO loader module contains XOR-encrypted shellcode.[1][5][2]
.015 Compression

LODEINFO components have been compressed with zip for delivery.[1]
.016 Junk Code Insertion

LODEINFO has inserted junk code to obstruct code analysis.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

LODEINFO has been distributed to targeted victims via malicious email attachments.[1][3][2]
Enterprise T1057 Process Discovery

LODEINFO can kill a process using specific process ID.[5][2]
Enterprise T1055 Process Injection

LODEINFO can inject shellcode into the memory of compromised hosts.[5][3][2]
Enterprise T1018 Remote System Discovery

LODEINFO can run net view and net view /domain for network discovery.[3]
Enterprise T1113 Screen Capture

LODEINFO has the ability to take screenshots.[5][3][2]
Enterprise T1539 Steal Web Session Cookie

LODEINFO can list the contents of %LocalAppData%\Google\Chrome\User Data\ and %LocalAppData%\Microsoft\Edge\User Data\ to obtain cookies.[3]
Enterprise T1082 System Information Discovery

LODEINFO can disover machine information including OS architecture, the ANSI code page (ACP) identifier, and hostname.[5][2]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

LODEINFO can looks for the "en_US" locale on the victim’s machine.[5]
Enterprise T1016 System Network Configuration Discovery

LODEINFO can enumerate the MAC address of the compromised host.[1]
Enterprise T1033 System Owner/User Discovery

LODEINFO can identify the associated username on targeted machines.[2]
Enterprise T1124 System Time Discovery

LODEINFO can capture system time to send to the C2.[5]
Enterprise T1204 .002 User Execution: Malicious File

LODEINFO has been executed via victims opening malicious email attachments.[1][3][2]
Enterprise T1047 Windows Management Instrumentation

LODEINFO can execute commands with WMI.[5][2]

Groups That Use This Software

ID Name References
G1054 MirrorFace

[1][2]

References

  1. Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.
  2. ITOCHU. (2024, January 24). The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis. Retrieved April 17, 2026.
  3. Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
  1. Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
  2. Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part II. Retrieved April 17, 2026.