Skip to content

Hide Navigation Hide TOC

ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3)

ANELLDR, a loader that has been in use since at least 2018, was designed to decrypt and execute UPPERCUT in memory. ANELLDR can use anti-analysis techniques and is known to share code overlap with HiddenFace.(Citation: Trend Micro Earth Kasha Anel NOV 2024)(Citation: ESET MirrorFace 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware 1
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware 1
ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware 1
ANELLDR - S9027 (c21edbd1-a0a4-4c3c-9b22-4a49634186c3) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2