1. Home
  2. Software
  3. ANELLDR

ANELLDR

ANELLDR, a loader that has been in use since at least 2018, was designed to decrypt and execute UPPERCUT in memory. ANELLDR can use anti-analysis techniques and is known to share code overlap with HiddenFace.[1][2]

ID: S9027
Type: MALWARE
Platforms: Windows
Contributors: Contributor: Dominik Breitenbacher, ESET
Version: 1.0
Created: 19 April 2026
Last Modified: 24 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1622 Debugger Evasion

ANELLDR can call ZwSetInformationThread with the second argument set to ThreadHideFromDebugger (0x11) to evade being debugged.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

ANELLDR can decrypt encrypted payload data using AES-256-CBC and subsequently execute the payload in memory.[1]
Enterprise T1083 File and Directory Discovery

ANELLDR can enumerate files in the current directory to search for encrypted payload files.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

ANELLDR can use DLL sideloading from a legitimate application to initiate execution. [1]
Enterprise T1106 Native API

ANELLDR can use the ZwSetInformationThread to enable debugger evasion.[1]
Enterprise T1027 Obfuscated Files or Information

ANELLDR code implements anti-analysis techniques including control flow flattening and Mixed Boolean Arithmetic (MBA).[1]
.013 Encrypted/Encoded File

ANELLDR can update its encryption key to AES-256-CBC and re-encrypt its payload, overwriting the original payload file with the newly encrypted data.[1]
.016 Junk Code Insertion

ANELLDR can use junk code for payload obfuscation.[1]

Groups That Use This Software

ID Name References
G1054 MirrorFace

[1][2]

Campaigns

ID Name Description
C0060 Operation AkaiRyū

ANELLDR was used in Operation AkaiRyū as part of UPPERCUT infection chains.[1][2]

References

  1. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  1. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.