How to remove MirrorFace APT

What is MirrorFace APT

MirrorFace APT is a sophisticated cyber threat group believed to be linked to China, often referred to as Earth Kasha, and is thought to operate as a subgroup within the notorious APT10. This advanced persistent threat has been active since 2019, primarily targeting organizations, businesses, and individuals in Japan, with a focus on stealing information related to national security and advanced technology. MirrorFace employs a range of tools, including ANEL, LODEINFO, and NOOPDOOR (also known as HiddenFace), to execute their cyber-espionage campaigns. Over the years, the group has demonstrated its strategic interest by expanding its spear-phishing operations to other regions, such as Taiwan and India. Their attacks are characterized by sophisticated evasion techniques, such as using Visual Studio Code remote tunnels for covert communications and deploying malware within the Windows Sandbox environment to avoid detection. The persistent nature and evolving tactics of MirrorFace pose a significant threat to Japan’s national security, urging organizations to bolster their defenses against such advanced cyber threats. Authorities continue to monitor and respond to the group’s activities, emphasizing the importance of vigilance and robust cybersecurity measures.

How MirrorFace APT infected your system

MirrorFace APT, a subgroup believed to be linked to the notorious APT10, employs a sophisticated blend of tactics to infiltrate computers and networks. The group primarily utilizes spear-phishing campaigns to deliver malicious payloads, such as ANEL, LODEINFO, and NOOPDOOR, targeting organizations in critical sectors like academia, government, and technology. These spear-phishing emails are crafted to appear legitimate, often exploiting human error to trick recipients into executing the malware. Once inside a system, MirrorFace leverages advanced techniques, including the use of Visual Studio Code remote tunnels and Windows Sandbox environments, to maintain persistence and evade detection. By executing payloads within the Windows Sandbox, the malware can operate stealthily, avoiding antivirus and EDR systems, and erases all traces upon system shutdown. This combination of social engineering and technical acumen allows MirrorFace to conduct prolonged espionage operations, posing significant threats to national security and technological advancement.

1. Download MirrorFace APT Removal Tool
2. Use Windows Malicious Software Removal Tool to remove MirrorFace APT
3. Use Autoruns to remove MirrorFace APT
4. Files, folders and registry keys of MirrorFace APT
5. Other aliases of MirrorFace APT
6. How to protect from threats, like MirrorFace APT

Remove MirrorFace APT manually

Manual removal of MirrorFace APT by inexperienced users may become a difficult task because it does not create entries in Add/Remove Programs under Control Panel, does not install browser extensions, and uses random file names. However, there are pre-installed instruments in the Windows system, that allow you to detect and remove malware without using third-party applications. One of them is Windows Malicious Software Removal Tool. It comes with Windows Update in Windows 11, 10, 8. 8.1. For older operating system you can download it here: 64-bit version | 32-bit version.

Remove MirrorFace APT using Windows Malicious Software Removal Tool

1. Type mrt in the search box near Start Menu.
2. Run mrt clicking on found item.
3. Click Next button.
4. Choose one of the scan modes Quick scan, Full scan, Customize scan (Full scan recommended).
5. Click Next button.
6. Click on View detailed results of the scan link to view the scan details.
7. Click Finish button.

Remove MirrorFace APT using Autoruns

MirrorFace APT often sets up to run at Windows startup as an Autorun entry or Scheduled task.

1. Download Autoruns using this link.
2. Extract the archive and run Autoruns.exe file.
3. In Options menu make sure there are checkboxes near Hide Empty Locations, Hide Microsoft Entries, and Hide Windows Entries.
4. Search for suspicious entries with weird names or running from locations like: C:\{username}\AppData\Roaming.
5. Right-click on suspicious entry and choose Delete. This will prevent the threat to run at startup.
6. Switch to Scheduled Tasks tab and do the same.
7. To remove files themselves, click on suspicious entries and choose Jump to Entry…. Remove files or registry keys found.

Remove files, folder and registry keys of MirrorFace APT

MirrorFace APT files and folders


{randomname}.exe


MirrorFace APT registry keys


no information


Aliases of MirrorFace APT

How to protect from threats, like MirrorFace APT, in future

Standard Windows protection or any decent third-party antivirus (Norton, Avast, Kaspersky) should be able to detect and remove MirrorFace APT. However, if you got infected with MirrorFace APT with existing and updated security software, you may consider changing it. To feel safe and protect your PC from MirrorFace APT on all levels (browser, e-mail attachments, Word or Excel scripts, file system) we recommend a leading provider of internet security solutions – BitDefender. Its solutions both for home and business users proved to be one of the most advanced and effective. Choose and get your BitDefender protection via the button below:

Download BitDefender