S9023: HiddenFace
HiddenFace is a modular backdoor developed and used exclusively by MirrorFace since at least 2021. HiddenFace can communicate both actively and passively and has been used against political and academic targets.[1][2][3]
Analyst context for executives and security teams
HiddenFace matters because it is described by ATT&CK as a Windows modular backdoor used exclusively by MirrorFace since at least 2021, with reported use against political and academic targets. For leaders, the key issue is not one malware name; it is whether the organization can recognize and investigate a stealthy backdoor that may use persistence, discovery, obfuscation, process injection, registry changes, and resilient command-and-control behaviors.
Executive priority
Prioritize HiddenFace as a validation case for Windows endpoint visibility, egress monitoring, and incident response readiness. The ATT&CK relationships show behaviors that can affect business continuity and evidence quality: scheduled-task persistence, registry modification, local data collection, tool transfer, fallback channels, tunneling, non-standard ports, and DGA-style C2. Executives should ask whether SOC and IR teams can prove coverage for these behavior classes, especially in politically sensitive, academic, public-sector, or Japan/Central Europe-facing risk contexts referenced by the related campaign and group descriptions.
Technical view
ATT&CK provides no official detection text for HiddenFace, so defenders should build coverage from the related techniques. On Windows, validate telemetry and analytics for scheduled task creation or modification, registry modifications, process injection indicators, user/system/process/security-software discovery, timestomping, mutex or execution-guardrail behavior, decoding/deobfuscation activity, file ingress, and unusual command-and-control patterns. Network validation should include fallback channels, internal proxying, non-application-layer or tunneled communications, DGA-like domain activity, and protocol/port mismatches. Treat detections as behavior-based rather than name-based because the object is described as modular and includes multiple stealth and C2-related relationships.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution events
- Windows Registry modification telemetry
- Endpoint detection events related to process injection or suspicious cross-process activity
- File creation, modification time, and timestamp anomaly evidence
Detection direction
- Because ATT&CK lists no official detection guidance, start with coverage mapping against the related techniques rather than assuming malware-signature detection is sufficient.
- Tune Windows persistence analytics around scheduled tasks and registry changes, separating legitimate administration and software deployment from unusual task names, paths, users, or execution timing.
- Correlate discovery activity, such as user, system, process, and security software discovery, with later persistence, C2, file transfer, or collection behavior to reduce false positives.
- Validate network analytics for protocol/port mismatches, tunneling, DGA-like DNS behavior, internal proxy patterns, and fallback communications rather than relying only on known indicators.
- Account for stealth behaviors including dynamic API resolution, encrypted or encoded files, deobfuscation, process injection, timestomping, execution guardrails, mutex checks, and time-based checks, which can reduce static-analysis and sandbox confidence.
Mitigation priorities
- Confirm baseline Windows hardening and least-privilege controls for persistence-sensitive areas such as scheduled tasks and Registry keys.
- Ensure endpoint protection and EDR policies collect the telemetry needed for process injection, discovery, persistence, file modification, and suspicious execution analysis.
- Restrict and monitor unnecessary outbound traffic, non-standard ports, tunneled protocols, and unusual DNS behavior through egress controls and network logging.
- Strengthen IR playbooks for backdoor investigations, including preservation of endpoint timelines, task scheduler data, Registry hives, DNS history, proxy/firewall logs, and downloaded files.
- Use detection engineering exercises or purple-team validation to test the related ATT&CK behaviors without assuming the organization can detect HiddenFace by name.
Analyst notes and limits
HiddenFace is a malware/software object in ATT&CK Enterprise with Windows as the supplied platform. The strongest defensive value comes from its relationship set: collection from local systems, persistence through scheduled tasks and registry modification, discovery behaviors, stealth techniques, and multiple command-and-control resilience patterns. The related group and campaign context can help prioritize monitoring for organizations with relevant geopolitical, academic, public-sector, or regional exposure, but local telemetry is required before making any exposure or attribution judgment.
ATT&CK does not provide official detection text, aliases, labels, or tactics for this malware object. The supplied data does not include indicators of compromise, hashes, filenames, infrastructure, vulnerabilities, or confirmed customer exposure. Some related technique platform lists are broader or not Windows-specific, so this take treats Windows as the supported malware platform and uses related techniques as behavior context rather than proof of every implementation detail.
HiddenFace
HiddenFace is a modular backdoor developed and used exclusively by MirrorFace since at least 2021. HiddenFace can communicate both actively and passively and has been used against political and academic targets.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | HiddenFace has used scheduled tasks for execution and persistence.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1571 | Non-Standard Port | HiddenFace's passive mode listens on TCP 47000.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | HiddenFace can use RSA-2048 in addition to symmetric algorithms in C2.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | HiddenFace can act as an internal HTTP proxy within the targeted environment.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HiddenFace has encrypted its payload with AES.CitationESET HiddenFace 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | HiddenFace can create a mutex to ensure only one instance is running at a time.CitationESET HiddenFace 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | HiddenFace can use a custom TCP protocol over Port 443 for C2.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | HiddenFace can sleep randomly between 30 and 60 seconds to avoid behavioral analysis.CitationESET HiddenFace 2024 |
| Enterprise | T1008 | Fallback Channels | HiddenFace can use active and passive C2 modes that use different encryption algorithms and backdoor commands.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1033 | System Owner/User Discovery | HiddenFace can collect the username associated with the compromised host.CitationESET HiddenFace 2024 |
| Enterprise | T1005 | Data from Local System | HiddenFace can upload files from the victim machine to C2 nodes.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | HiddenFace can download files from the C2 to victim systems.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | HiddenFace can dynamically resolve Windows APIs.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | HiddenFace can identify processes identified with security applications and tooling.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1070.006 | Timestomp Sub-technique | HiddenFace can alter timestamps for directory content on targeted machines.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | HiddenFace has used dynamic domain generation algorithms in C2.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024CitationTrend Micro Earth Kasha Updates APR 2025CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1082 | System Information Discovery | HiddenFace can enumerate the hostname and username of the compromised system.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1057 | Process Discovery | HiddenFace can check running processes against a list of blocklisted applications.CitationESET HiddenFace 2024 |
| Enterprise | T1055 | Process Injection | HiddenFace can inject code directly into legitimate applications.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | HiddenFace can use a randomly selected symmetric encryption algorithm for C2.CitationESET HiddenFace 2024 |
| Enterprise | T1572 | Protocol Tunneling | HiddenFace can hide its IP lookup by using DNS over HTTPS (DoH) for C2.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HiddenFace has the ability to decrypt its payload prior to execution.CitationESET HiddenFace 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1112 | Modify Registry | HiddenFace can store its configuration file in the Registry.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1480 | Execution Guardrails | HiddenFace can check for the presence of specific analysis tools and will terminate itself if they are found.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | HiddenFace can reconfigure Windows firewalls to enable communication by adding a rule named “Cortana” to allow inbound connection to TCP/47000.CitationESET HiddenFace 2024CitationTrend Micro Earth Kasha NOV 2024 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f3cbc91aa05e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
JPCERT MirrorFace JUL 2024
Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
Open source URL -
[2]
Trend Micro Earth Kasha NOV 2024
Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
Open source URL -
[3]
Trend Micro Earth Kasha Updates APR 2025
Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
Open source URL -
[4]
ESET HiddenFace 2024
Breitenbacher, D. (2024). Unmasking HiddenFace. Retrieved April 17, 2026.
Open source URL -
[5]
NOOPDOOR
(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)
-
[6]
mitre-attack S9023Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.