S9022: MirrorStealer
MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.[1]
Analyst context for executives and security teams
MirrorStealer matters because it is documented as Windows credential-stealing malware focused on credentials from applications such as browsers and email clients. For leaders, the business issue is not only malware execution; it is whether stolen user credentials could let an intruder continue operations, access email, move laterally, or create incident-response uncertainty after the initial host is contained.
Executive priority
Prioritize validation of credential-theft resilience on Windows endpoints: browser and email-client credential storage exposure, Group Policy Preferences credential hygiene, and evidence that SOC and IR teams can identify local staging and credential-access activity. Because ATT&CK notes delivery directly into system memory via commands from LODEINFO, leaders should ask whether endpoint monitoring and response playbooks can handle in-memory malware scenarios where few traditional file artifacts may exist.
Technical view
ATT&CK lists MirrorStealer as Windows malware with relationships to Local Data Staging, Group Policy Preferences credential access, Credentials from Password Stores, and Credentials from Web Browsers. Detection engineering should therefore validate visibility around suspicious access to browser and email credential stores, attempts to read SYSVOL/GPP credential material, creation or aggregation of locally staged data, and process behavior consistent with memory-delivered tooling. Since no official ATT&CK detection guidance is provided, local baselining and incident-derived telemetry are required.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- EDR memory and behavioral detections for in-memory execution patterns
- File access telemetry for browser, email-client, and password-store locations
- Windows file/share access logs for SYSVOL and Group Policy Preferences paths where available
- Local file creation, copy, archive, or staging activity on endpoints
Detection direction
- Validate alerts for unusual processes accessing browser or email-client credential stores, not only known malware filenames.
- Monitor for access to Group Policy Preferences credential artifacts in SYSVOL, with tuning for legitimate administrative activity.
- Look for local staging patterns: unusual aggregation of files, temporary directories, or collections of credential-related data before exfiltration.
- Account for the ATT&CK-noted memory delivery via LODEINFO commands by reviewing whether detections depend too heavily on malware files on disk.
- Correlate credential-store access with identity events, especially suspicious logons or access from newly exposed accounts.
Mitigation priorities
- Reduce credential material available to steal: remove exposed or legacy Group Policy Preferences credentials and review administrative credential handling.
- Harden endpoint credential storage practices for browsers, email clients, and password stores according to enterprise policy.
- Ensure Windows EDR coverage includes behavioral monitoring, memory-relevant investigation capability, and process/file telemetry retention.
- Prepare IR procedures for credential-theft cases, including password resets, token/session review where applicable, and scoping of applications whose credentials may have been exposed.
- Use least privilege and identity monitoring to limit business impact if credentials are captured.
Analyst notes and limits
This take is based on the ATT&CK S9022 object and its listed relationships. The object states MirrorStealer has been used by MirrorFace since at least 2022 and has been delivered into memory via LODEINFO commands. The most decision-relevant defensive areas are Windows endpoint visibility, credential-store exposure, GPP hygiene, and local staging detection.
ATT&CK provides no official detection text, no aliases, and no explicit tactics on the malware object itself. Specific indicators, file paths, command lines, and customer exposure cannot be inferred from the supplied fields. Organizations must validate relevance against their Windows fleet, browser/email-client mix, identity architecture, and available telemetry.
MirrorStealer
MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1555 | Credentials from Password Stores | MirrorStealer has the ability to steal credentials from email clients.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1552.006 | Group Policy Preferences Sub-technique | MirrorStealer can target Group Policy Preferences for credentials.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MirrorStealer has stored stolen credentials on the local machine in `%TEMP%\31558.txt`.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | MirrorStealer can steal credentials stored in browsers.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9867a45aa3f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET MirrorFace DEC 2022
Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
Open source URL -
[2]
mitre-attack S9022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.