S9020: LODEINFO
LODEINFO is a fileless backdoor malware first identified in 2020 that has been used by actors including MirrorFace, primarily against media, diplomatic, governmental, and public sector organizations in Japan.[1][2][3]
Analyst context for executives and security teams
LODEINFO is a Windows fileless backdoor associated in ATT&CK with MirrorFace use and reporting focused on Japanese media, diplomatic, governmental, and public-sector targets. Its practical significance is not just malware presence: the mapped behaviors cover stealth, discovery, collection, credential capture, tool transfer, command-and-control, and exfiltration over C2, which means defenders should validate whether endpoint, network, and investigation telemetry can reconstruct activity even when few traditional files are left behind.
Executive priority
Treat LODEINFO as a readiness test for high-consequence espionage-style intrusions against Windows environments. Priority questions are: can the organization detect fileless or memory-resident activity, WMI abuse, process injection, local discovery, data staging, and exfiltration over C2; can incident responders scope affected hosts without relying only on recovered malware files; and can security teams produce audit-quality evidence that monitoring and egress controls cover sensitive business, government, diplomatic, or public-sector workflows where relevant.
Technical view
ATT&CK provides no official detection text for S9020, so coverage should be validated from the related techniques. On Windows, focus on behavioral chains: WMI execution, Native API use, dynamic API resolution, process injection, obfuscated/encoded/compressed content, junk code or junk C2 data, host and network discovery, file and directory enumeration, local data staging, keylogging or screen capture behavior, file deletion, ingress tool transfer, and exfiltration over the existing C2 channel. Detection engineering should emphasize correlation across endpoint memory/process telemetry, Windows management activity, file-system activity, and network egress rather than single static indicators.
Likely telemetry
- EDR or equivalent endpoint telemetry for process creation, process injection, memory allocation patterns, module/API usage, and suspicious child-process relationships
- Windows Management Instrumentation activity, including WMI process execution and remote/local management events
- File-system telemetry for enumeration, staging directories, compressed or encoded artifacts, tool transfer, and deletion of recently created files
- Network telemetry from proxy, firewall, DNS, TLS metadata, and egress monitoring for unusual C2-like sessions, data transfer, and protocol content anomalies such as junk data where observable
- Host discovery evidence such as network configuration queries, process discovery, system information discovery, user discovery, remote system discovery, and system time checks
Detection direction
- Build detections around sequences, not only malware names: discovery followed by staging, C2 communication, tool transfer, collection, and exfiltration is more decision-useful than a single weak signal.
- Validate WMI monitoring depth because T1047 is explicitly mapped and WMI often overlaps with legitimate administration; tune by administrator context, destination, command content, and unusual timing.
- Review endpoint capability for fileless and memory behaviors, including process injection and dynamic API resolution; static file scanning alone is unlikely to be sufficient for a fileless backdoor profile.
- Use network analytics to look for persistent or unusual outbound channels and exfiltration over the same channel used for command-and-control; account for the mapped use of junk data that may reduce simple pattern-matching value.
- Treat obfuscation, compression, encoded files, and file deletion as supporting evidence. These behaviors can be legitimate, so prioritize correlation with execution, discovery, staging, or outbound transfer.
Mitigation priorities
- Prioritize visibility first: ensure Windows endpoint, WMI, file-system, and network egress logs are collected, retained, and searchable for incident response scoping.
- Harden and monitor administrative execution paths such as WMI, limiting use to expected administrators and systems where operationally feasible.
- Strengthen egress control and monitoring so unknown outbound command-and-control or exfiltration channels are more likely to be blocked, alerted, or investigated.
- Reduce collection and credential risk by applying least privilege, protecting sensitive local data, and monitoring access to high-value files and user input/screen capture behaviors where supported.
- Prepare IR playbooks for fileless backdoor investigations, including memory acquisition, timeline reconstruction, C2 scoping, staged-data searches, and review of file deletion activity.
Analyst notes and limits
The strongest defensive value comes from the relationship set: LODEINFO is mapped to multiple discovery, stealth, collection, execution, C2, exfiltration, and cleanup techniques. The MirrorFace relationship and official description provide threat-intelligence context, especially around Japanese public-sector and related organizations, but local risk should be determined by the organization’s geography, mission, exposed Windows estate, and data sensitivity.
MITRE does not provide official detection text, aliases, labels, or malware tactics for this object in the supplied fields. The object platform is Windows, while several related techniques list broader platforms; this take therefore focuses on Windows-relevant validation. No claim is made here about current activity, customer exposure, guaranteed detection, or exploitation beyond the supplied ATT&CK description and relationships.
LODEINFO
LODEINFO is a fileless backdoor malware first identified in 2020 that has been used by actors including MirrorFace, primarily against media, diplomatic, governmental, and public sector organizations in Japan.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | LODEINFO can delete files to remove traces of activity from victim systems.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1057 | Process Discovery | LODEINFO can kill a process using specific process ID.CitationKaspersky LODEINFO Part II OCT 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1001.001 | Junk Data Sub-technique | LODEINFO can append C2 communication with randomly generated junk data.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | LODEINFO can incorporate a ransom command to encrypt specified files and folders.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | LODEINFO can use legitimate EXE files to sideload malicious DLLs.CitationKaspersky LODEINFO OCT 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LODEINFO has collected stolen web cookies locally in the `%TEMP%` folder.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LODEINFO can encrypt C2 communication with a hardcoded (NV4HDOeOVyL) Vigenere cipher key.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1018 | Remote System Discovery | LODEINFO can run `net view` and `net view /domain` for network discovery.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | LODEINFO has the ability to download additional files from the C2.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1480 | Execution Guardrails | LODEINFO can halt execution if the “en_US” locale is identified on a victim's machine.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | LODEINFO can execute commands with WMI.CitationKaspersky LODEINFO Part II OCT 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | LODEINFO can exfiltrate collected credentials and browser cookies to the C2 server.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | LODEINFO can looks for the “en_US” locale on the victim’s machine.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1027.015 | Compression Sub-technique | LODEINFO components have been compressed with zip for delivery.CitationKaspersky LODEINFO OCT 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | LODEINFO can capture keystrokes on targeted systems.CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | LODEINFO has inserted junk code to obstruct code analysis.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The LODEINFO loader module contains XOR-encrypted shellcode.CitationKaspersky LODEINFO OCT 2022CitationKaspersky LODEINFO Part II OCT 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1113 | Screen Capture | LODEINFO has the ability to take screenshots.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | LODEINFO has been distributed to targeted victims via malicious email attachments.CitationKaspersky LODEINFO OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | LODEINFO can use a hashing algorithm to dynamically resolve API function addresses.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1124 | System Time Discovery | LODEINFO can capture system time to send to the C2.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1082 | System Information Discovery | LODEINFO can disover machine information including OS architecture, the ANSI code page (ACP) identifier, and hostname.CitationKaspersky LODEINFO Part II OCT 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1055 | Process Injection | LODEINFO can inject shellcode into the memory of compromised hosts.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | LODEINFO has been executed via victims opening malicious email attachments.CitationKaspersky LODEINFO OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1106 | Native API | LODEINFO can use Windows APIs such as `VirtualAllocEx()`, `WriteProcessMemory()`, `CreateRemoteThread()`, `NtAllocateVirtualMemory()`, `NtWriteVirtualMemory()`, and `RtlCreateUserThread()` to enable memory injection of shellcode.CitationKaspersky LODEINFO Part II OCT 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | LODEINFO can enumerate the MAC address of the compromised host.CitationKaspersky LODEINFO OCT 2022 |
| Enterprise | T1005 | Data from Local System | LODEINFO can upload files from infected hosts to the C2.CitationKaspersky LODEINFO Part II OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LODEINFO has used Registry run keys to set persistence.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1083 | File and Directory Discovery | LODEINFO has the ability to designate specific files and folders to encryption.CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1033 | System Owner/User Discovery | LODEINFO can identify the associated username on targeted machines.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | LODEINFO has used control flow flattening to obfuscate code.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1539 | Steal Web Session Cookie | LODEINFO can list the contents of `%LocalAppData%\Google\Chrome\User Data\` and `%LocalAppData%\Microsoft\Edge\User Data\` to obtain cookies.CitationESET MirrorFace DEC 2022 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e2cf2915db8e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky LODEINFO OCT 2022
Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.
Open source URL -
[2]
ITOCHU LODEINFO JAN 2024
ITOCHU. (2024, January 24). The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis. Retrieved April 17, 2026.
Open source URL -
[3]
ESET MirrorFace DEC 2022
Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
Open source URL -
[4]
mitre-attack S9020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.