S9027: ANELLDR
Analyst context for executives and security teams
ANELLDR matters because it is a Windows loader built to decrypt and run UPPERCUT in memory, with anti-analysis behavior that can reduce the value of simple file-based scanning. For leaders, the practical issue is whether endpoint, SOC, and IR capabilities can recognize suspicious loading, decoding, DLL abuse, and discovery behavior rather than depending only on known malware names or static signatures.
Executive priority
Prioritize ANELLDR as a validation case for Windows endpoint resilience, malware triage readiness, and evidence quality. ATT&CK links it to Operation AkaiRyū and to stealth, execution, and discovery techniques, so executives should ask whether teams can prove coverage for in-memory execution patterns, obfuscated or encoded payloads, DLL-related abuse, and file discovery activity. This is especially relevant for audit and incident decision-making because official ATT&CK detection guidance is not provided, making local telemetry and tested detections more important than assumed tool coverage.
Technical view
SOC and detection teams should map ANELLDR-related coverage to Windows behaviors in the supplied relationships: obfuscated or encrypted content, deobfuscation or decoding before execution, junk code or anti-analysis indicators, debugger evasion, Native API usage, DLL abuse, and file or directory discovery. Because ANELLDR is described as a loader for UPPERCUT that executes in memory, IR teams should validate memory collection, process/module inspection, suspicious parent-child process review, and DLL load analysis. Detection should focus on behavior chains rather than only hashes or malware family labels.
Likely telemetry
- Windows endpoint detection and response events for process creation, memory activity, and suspicious module loading
- DLL load telemetry, image load events, and unusual library search or side-loading indicators
- File system telemetry showing encrypted, encoded, or otherwise obfuscated artifacts written, read, or decoded
- Command-line and API-level evidence related to file and directory discovery
- Malware sandbox or detonation results, with awareness that debugger-evasion and anti-analysis behavior may suppress activity
Detection direction
- Validate detections for the relationship-driven techniques: T1027, T1027.013, T1027.016, T1140, T1106, T1574.001, T1083, and T1622.
- Tune for behavior sequences such as an obfuscated payload being decoded and then loaded or executed in memory, especially when paired with unusual DLL activity.
- Do not rely solely on static signatures; ANELLDR is specifically described as using anti-analysis techniques and obfuscation-related behavior.
- Review false positives from legitimate packed software, installers, DLL-heavy enterprise applications, and administrative discovery activity before escalating.
- Test whether sandbox and malware-analysis workflows still produce evidence when debugger-evasion behavior is present.
Mitigation priorities
- Strengthen Windows endpoint visibility first: process, module, file, and memory-related telemetry must be available to SOC and IR teams.
- Harden DLL loading exposure where practical through application control, least privilege, controlled software paths, and monitoring for abnormal DLL behavior.
- Improve malware triage playbooks for encoded or obfuscated artifacts, including safe decoding analysis and memory capture procedures.
- Use threat intelligence from the supplied ATT&CK and external references to inform detection engineering, but validate against local baselines before operationalizing alerts.
- Maintain incident response readiness for loader-style malware by preserving volatile evidence and correlating host behavior with campaign and technique context.
Analyst notes and limits
The official ATT&CK object identifies ANELLDR as a Windows loader used since at least 2018 to decrypt and execute UPPERCUT in memory. It also states anti-analysis behavior and code overlap with HiddenFace. Relationship context links ANELLDR to Operation AkaiRyū and to multiple ATT&CK techniques covering obfuscation, decoding, Native API use, DLL abuse, file discovery, and debugger evasion. These relationships are the basis for the defensive priorities above.
MITRE does not provide official detection text, aliases, labels, or explicit tactics for the ANELLDR software object. The take therefore avoids claiming active exploitation, guaranteed detection, or organization-specific exposure. Local endpoint configuration, logging depth, EDR behavior, and IR evidence collection will determine actual coverage.
ANELLDR
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | ANELLDR can use the `ZwSetInformationThread` to enable debugger evasion.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1083 | File and Directory Discovery | ANELLDR can enumerate files in the current directory to search for encrypted payload files.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ANELLDR can decrypt encrypted payload data using AES-256-CBC and subsequently execute the payload in memory.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | ANELLDR can update its encryption key to AES-256-CBC and re-encrypt its payload, overwriting the original payload file with the newly encrypted data.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | ANELLDR can use DLL sideloading from a legitimate application to initiate execution. CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1622 | Debugger Evasion | ANELLDR can call `ZwSetInformationThread` with the second argument set to `ThreadHideFromDebugger (0x11)` to evade being debugged.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | ANELLDR can use junk code for payload obfuscation.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | ANELLDR code implements anti-analysis techniques including control flow flattening and Mixed Boolean Arithmetic (MBA).CitationTrend Micro Earth Kasha Anel NOV 2024 |
Groups, software, and campaigns
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b8a03baffbb2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Earth Kasha Anel NOV 2024
Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
Open source URL -
[2]
ESET MirrorFace 2025
Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
Open source URL -
[3]
mitre-attack S9027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.