MirrorStealer

MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.^[1]

ID: S9022

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Dominik Breitenbacher, ESET

Version: 1.0

Created: 17 April 2026

Last Modified: 24 April 2026

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555		Credentials from Password Stores	MirrorStealer has the ability to steal credentials from email clients.^[1]^[2]
		.003	Credentials from Web Browsers	MirrorStealer can steal credentials stored in browsers.^[1]^[2]
Enterprise	T1074	.001	Data Staged: Local Data Staging	MirrorStealer has stored stolen credentials on the local machine in `%TEMP%\31558.txt`.^[1]
Enterprise	T1552	.006	Unsecured Credentials: Group Policy Preferences	MirrorStealer can target Group Policy Preferences for credentials.^[2]

Groups That Use This Software

ID	Name	References
G1054	MirrorFace	MirrorFace has used MirrorStealer to harvest credentials.^[1]

References

Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.

Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.

MirrorStealer

Enterprise Layer

Techniques Used

Groups That Use This Software

References