Skip to content

Hide Navigation Hide TOC

MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936)

MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.(Citation: ESET MirrorFace DEC 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936) Malware 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936) Malware 1
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936) Malware 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern MirrorStealer - S9022 (2f851d4a-18cc-4d7f-9408-b10ef02ee936) Malware 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2