HiddenFace

HiddenFace, also referred to as NOOPDOOR, is a modular backdoor developed and exclusively used by the China-aligned MirrorFace threat actor, which ESET assesses as a subgroup under APT10. It is described as the most complex malware in MirrorFace’s arsenal and a more versatile successor to the group’s earlier LODEINFO malware. MirrorFace has used HiddenFace in cyberespionage operations primarily targeting Japanese organizations, including media, defense-related companies, think tanks, political entities, and academic institutes, and in 2024 ESET observed it in Operation AkaiRyū, including against a Central European diplomatic institute linked to Expo 2025 in Osaka.

Observed infection and deployment chains include post-compromise installation after initial access via spearphishing in 2024 and, in a separate 2023 case, after exploitation of a FortiOS or FortiProxy vulnerability at a Japanese research institute. In the 2023 intrusion, attackers deployed LODEINFO before HiddenFace. Installation uses scheduled tasks such as automatic-device-check or createobject to launch MSBuild with malicious XML files including diskmgmt.config, BrowserSettingSync.xml, or BluetoothDesktopHandlers.xml. These build and execute a loader called FaceXInjector, also named NOOPLDR, which reads an encrypted HiddenFace payload from files such as ActivationManager.tlb, LaunchWinApp.dat, or Windows.Devices.Custom.dat. HiddenFace then creates a machine-specific encrypted copy using HKLM\Software\Microsoft\SQMClient\MachineId and the hostname, stores it under HKCU or HKLM\Software\License{<16 hex characters>}, and injects into legitimate Windows utilities such as perfmon.exe, wermgr.exe, or powercfg.exe.

HiddenFace includes anti-analysis and defense-evasion features. It dynamically resolves Windows APIs and removes API resolution code to hinder memory analysis, restricts DLL loading to Microsoft-signed DLLs, sleeps randomly between 30 and 60 seconds, checks running processes against a blacklist of analysis tools, creates a mutex to enforce a single instance, and can alter timestamps for directory content on targeted machines.

Its architecture is heavily modular, with built-in modules and AES-256-CBC-encrypted external modules. External module filenames, AES keys, and IVs are algorithmically derived from the hostname and username. HiddenFace provides an internal framework that allows modules to modify framework functions, access memory storage, and manage external modules.

For command and control, HiddenFace actively communicates with C2 servers using hard-coded URL templates, a domain generation algorithm, and a custom protocol over TCP port 443. It encrypts initial session messages with RSA-2048 and then switches to a randomly selected symmetric cipher, including DES, 3DES, AES-CBC, RC2, or RC4. Some C2 domains are under direct MirrorFace control. HiddenFace also supports passive communication by listening on hard-coded ports such as 47000 and reconfiguring Windows Firewall to allow access.

HiddenFace is also linked to credential theft operations through exfiltration of data collected by MSRAStealer, a MirrorFace credential stealer that registers as a password filter and authentication package to capture credentials during password changes and logons. MSRAStealer stores stolen credentials in an AES-256-CBC-encrypted file at %SystemRoot%\System32\msra.tlb, which HiddenFace can exfiltrate. In the 2024 diplomatic institute intrusion, ESET observed HiddenFace deployed alongside tools including PuTTY, Visual Studio Code remote tunnels, csvde, frp, and Rubeus, and the attackers also exported Google Chrome web data including contact information, keywords, autofill data, and stored credit card information.