LODEINFO
LODEINFO is a sophisticated fileless backdoor malware family first publicly named by JPCERT/CC in February 2020 and tracked by Kaspersky since 2019. It is used for cyber-espionage and is strongly associated with the China-aligned MirrorFace / Earth Kasha activity cluster, which is often linked to APT10; multiple sources describe it as unique or exclusive to MirrorFace/Earth Kasha and as that actor’s primary backdoor since 2019. Reported targeting has focused primarily on Japanese organizations, including media, diplomatic, governmental, public sector organizations, think tanks, political entities, academic institutes, and later advanced technology and government sectors in Japan, Taiwan, and India.
Observed delivery and execution methods include DLL sideloading with legitimate signed executables, malicious Word documents with VBA macros, self-extracting RAR archives, and downloader shellcode. Documented examples include use of K7Security Suite binaries such as NRTOLF.exe and K7SysMon.exe to sideload a malicious K7SysMn1.dll loader; a March 2022 macro-enabled Word infection that created C:\Users\Public\TMWJPA\ and dropped GFIUFR.zip; June 2022 SFX archives that dropped 1.docx, K7SysMn1.dll, and K7SysMon.exe into %TEMP%; and the DOWNIISSA downloader, which downloaded XOR-encrypted payloads from http://172.104.112[.]218/11554.htm and http://www.dvdsesso[.]com/11554.htm, then injected LODEINFO v0.6.5 into msiexec.exe. Since version 0.4.x, JPCERT/CC reported a shift to LOLBAS-based launch methods.
LODEINFO supports backdoor functionality including command execution, file transfer, shellcode or in-memory payload execution, and network discovery. It can run net view and net view /domain for remote system discovery. Kaspersky documented versions with commands including command, send, recv, memory, kill, cd, ver, print, ransom, comc, and config; earlier versions also included ls, rm, mv, cp, cat, mkdir, keylog, ps, pkill, and autorun. The malware beaconed host information including current time, ANSI code page, MAC address, and hostname. It also collected stolen web cookies locally in the %TEMP% folder.
The malware has undergone frequent updates. Kaspersky analyzed shellcode versions including v0.5.9, v0.6.2, v0.6.3, and v0.6.5 in 2022, and noted later v0.6.6 and v0.6.7. Reported technical changes include obfuscated command identifiers, a custom API hashing algorithm with sample-specific XOR, support for 64-bit shellcode injection, and anti-analysis logic that halts execution on systems using the en_US locale. LODEINFO used layered C2 protection involving SHA512, XOR, AES-CBC, Base64 with modified padding, and the Vigenere cipher, and appended random junk data to beacon traffic. It also generated Chrome-like user-agent strings, attempting to read the installed Chrome version and falling back to 98.0.4758.102 if unavailable.
Known process injection behavior includes use of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread for 32-bit shellcode injection, and NtAllocateVirtualMemory, NtWriteVirtualMemory, and RtlCreateUserThread for 64-bit injection. In some campaigns, loaders reconstructed encrypted payload blobs from multiple export functions or external .db files before decoding and launching the backdoor.
LODEINFO has also appeared in multi-stage intrusions where it precedes deployment of other MirrorFace malware. ESET reported that in an August 2023 intrusion at a Japanese research institute, attackers exploited a FortiOS/FortiProxy vulnerability, deployed LODEINFO first, and then deployed HiddenFace/NOOPDOOR. Trend Micro likewise reported Earth Kasha using LODEINFO alongside Cobalt Strike and NOOPDOOR in campaigns from early 2023 to early 2024.
High-confidence indicators and artifacts mentioned in the content include the paths C:\Users\Public\TMWJPA, %TEMP%, and the local staging of stolen web cookies in %TEMP%; filenames GFIUFR.zip, NRTOLF.exe, K7SysMn1.dll, K7SysMon.exe, K7SysMon.exe.db, and 1.docx; downloader-related URLs 172.104.112[.]218/11554.htm and www.dvdsesso[.]com/11554.htm; and additional related files 3390.htm, 5246.htm, and 16412.htm observed on the same infrastructure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The APT10 group employed DLL sideloading to deliver the LODEINFO backdoor to the target device for cyber-espionage purposes.
MirrorFace focuses on espionage and exfiltration of files of interest; it is the only group known to use the LODEINFO and HiddenFace backdoors.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
Persistence
1 technique
Persistence
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Privilege Escalation
2 techniques
Privilege Escalation
During the memory injection process... the malware checks the first byte of the second stage shellcode to determine the shellcode architecture... it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or batch files in the Windows Startup folder.
Stealth
8 techniques
Stealth
This LODEINFO v0.5.6 shellcode extracted from a loader module demonstrates several enhanced evasion techniques... The beacon also contains a hardcoded key... randomly generated junk data is appended to the end of the data, possibly to evade beaconing detection based on packet size.
The attackers exploited the name of a well-known Japanese politician... The file name and the decoy document suggest the target was the Japanese ruling party or a related organization.
During the memory injection process... the malware checks the first byte of the second stage shellcode to determine the shellcode architecture... it uses the basic Windows APIs such as VirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() for memory injection of the 32-bit shellcode and NtAllocateVirtualMemory(), NtWriteVirtualMemory() and RtlCreateUserThread() for supporting the memory injection of the 64-bit shellcode.
For the final stage of the infection, DOWNIISSA creates an instance of msiexec.exe and injects the LODEINFO backdoor shellcode in the memory of the process.
In LODEINFO v0.6.2 and later versions, the shellcode has a new feature that looks for the “en_US” locale on the victim’s machine in a recursive function and halts execution if that locale is found.
Credential Access
1 technique
Credential Access
Discovery
6 techniques
Discovery
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
After infecting the target machine, the LODEINFO backdoor beacons out machine information to the C2, such as current time, ANSI code page (ACP) identifier, MAC address and hostname.
Collection
3 techniques
Collection
keylog Check for Japanese keyboard layout. Save keystrokes, datetime and active window name. Uses 1-byte XOR encryption and a file %temp%\%hostname%.tmp.
IOCs tracked for this family
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used via DLL sideloading in targeted cyber-espionage attacks.
Custom malware developed and used by MirrorFace.
A backdoor historically used exclusively by MirrorFace for espionage operations, though the report notes it was not observed in the 2024 activity discussed.
LODEINFO is a custom backdoor used primarily by the Earth Kasha threat group, supporting a wide range of commands for file operations, credential theft, keylogging, and in-memory execution of DLLs or shellcode. It is deployed via DLL side-loading and uses encrypted payloads embedded in digital signatures, exploiting CVE-2013-3900. LODEINFO has evolved through multiple versions, with new commands and features added over time.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.