Kaspersky reported new activity involving the LODEINFO malware family, a fileless espionage tool previously linked to APT10, in attacks against organizations in Japan. The campaign used several updated infection chains, including malicious Word documents with VBA macros, self-extracting RAR archives that abused DLL sideloading, and a newly identified downloader shellcode called DOWNIISSA that deployed LODEINFO v0.6.5. Lures used Japanese-language decoys and filenames tied to political and media themes, indicating targeting of government, ruling-party-related, and media entities.
Researchers observed multiple LODEINFO variants, including v0.5.9, v0.6.3, and v0.6.5, alongside changes to loaders and payload delivery. Those updates included the use of external encrypted BLOB files and obfuscated export-based payload reconstruction, showing continued efforts to complicate analysis and evade detection. The findings indicate that the operators are actively refining tooling and tradecraft in response to public reporting, reinforcing LODEINFO's role as an adaptive cyber-espionage platform focused on Japanese targets.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
ITOCHU Cyber & Intelligence published research on LODEINFO variants spanning versions 0.6.6 through 0.7.3, documenting continued evolution of the malware associated with APT10. The post indicates the campaign and tooling remained active and developed further after the 2021 Kaspersky findings.
Kaspersky released a report detailing the newly observed LODEINFO activity and concluding that the operators continuously adapt their tooling and TTPs, likely in response to public security research. The publication reinforced LODEINFO's role as an evolving cyber-espionage platform.
The report documents LODEINFO variants v0.5.9, v0.6.3, and v0.6.5, along with loader changes such as external encrypted BLOB files and obfuscated export-based payload reconstruction. These findings indicate continued evolution of the malware and its execution chain.
The researchers newly identified a downloader shellcode named DOWNIISSA in the observed campaign. It was used to deploy LODEINFO version 0.6.5.
Kaspersky identified another infection chain using self-extracting RAR archives that abused DLL sideloading to execute malware. This showed the operators expanding and varying their delivery techniques.
One infection chain described in the report used malicious Microsoft Word documents containing VBA macros to initiate compromise. This reflects one of the delivery methods used in the observed LODEINFO activity.
Kaspersky observed LODEINFO used in espionage activity primarily against organizations in Japan, including government, ruling-party-related, and media entities. The attackers used Japanese-language decoys and politically themed filenames to support the targeting.
The report states that earlier public research had already linked the LODEINFO malware family to the APT10 threat actor. This established the attribution context for later activity analyzed in the report.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
blog-en.itochuci.co.jp
Open sourcesecurelist.com
Open sourcesecurelist.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.