HiddenFace
HiddenFace is a modular backdoor developed and used exclusively by MirrorFace since at least 2021. HiddenFace can communicate both actively and passively and has been used against political and academic targets.[1][2][3]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | Data from Local System |
HiddenFace can upload files from the victim machine to C2 nodes.[2][1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
HiddenFace has the ability to decrypt its payload prior to execution.[4][1] |
|
| Enterprise | T1686 | .003 | Disable or Modify System Firewall: Windows Host Firewall |
HiddenFace can reconfigure Windows firewalls to enable communication by adding a rule named "Cortana" to allow inbound connection to TCP/47000.[4][2] |
| Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
HiddenFace has used dynamic domain generation algorithms in C2.[4][2][3][1] |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
HiddenFace can use a randomly selected symmetric encryption algorithm for C2.[4] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
HiddenFace can use RSA-2048 in addition to symmetric algorithms in C2.[2] |
||
| Enterprise | T1480 | Execution Guardrails |
HiddenFace can check for the presence of specific analysis tools and will terminate itself if they are found.[2] |
|
| .002 | Mutual Exclusion |
HiddenFace can create a mutex to ensure only one instance is running at a time.[4] |
||
| Enterprise | T1190 | Exploit Public-Facing Application |
HiddenFace has exploited vulnerabilities in FortiOS/FortiProxy devices for initial access.[4] |
|
| Enterprise | T1008 | Fallback Channels |
HiddenFace can use active and passive C2 modes that use different encryption algorithms and backdoor commands.[2] |
|
| Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
HiddenFace can alter timestamps for directory content on targeted machines.[4][2][1] |
| Enterprise | T1105 | Ingress Tool Transfer |
HiddenFace can download files from the C2 to victim systems.[2][1] |
|
| Enterprise | T1112 | Modify Registry |
HiddenFace can store its configuration file in the Registry.[1] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
HiddenFace can use a custom TCP protocol over Port 443 for C2.[4][2][1] |
|
| Enterprise | T1571 | Non-Standard Port |
HiddenFace's passive mode listens on TCP 47000.[2][1] |
|
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
HiddenFace can dynamically resolve Windows APIs.[4][2] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
HiddenFace has encrypted its payload with AES.[4][1] |
||
| Enterprise | T1057 | Process Discovery |
HiddenFace can check running processes against a list of blocklisted applications.[4] |
|
| Enterprise | T1055 | Process Injection |
HiddenFace can inject code directly into legitimate applications.[1] |
|
| Enterprise | T1572 | Protocol Tunneling |
HiddenFace can hide its IP lookup by using DNS over HTTPS (DoH) for C2.[3] |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
HiddenFace can act as an internal HTTP proxy within the targeted environment.[2] |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
HiddenFace has used scheduled tasks for execution and persistence.[4][2] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
HiddenFace can identify processes identified with security applications and tooling.[4][2] |
| Enterprise | T1082 | System Information Discovery |
HiddenFace can enumerate the hostname and username of the compromised system.[4][2][1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
HiddenFace can collect the username associated with the compromised host.[4] |
|
| Enterprise | T1127 | .001 | Trusted Developer Utilities Proxy Execution: MSBuild |
HiddenFace can execute a malicious XML file using MSBuild.[1] |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Checks |
HiddenFace can sleep randomly between 30 and 60 seconds to avoid behavioral analysis.[4] |
Groups That Use This Software
Campaigns
| ID | Name | Description |
|---|---|---|
| C0060 | Operation AkaiRyū |
During Operation AkaiRyū, MirrorFace used HiddenFace.[5][6] |
References
- Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
- Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
- Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
- Breitenbacher, D. (2024). Unmasking HiddenFace. Retrieved April 17, 2026.
- Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
- Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.