![](https://static.wixstatic.com/media/34c96e_086b49249c354adda694bed990f1b52d~mv2.jpg/v1/fill/w_147,h_147,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_086b49249c354adda694bed990f1b52d~mv2.jpg)
On January 24, 2024, ITOCHU Cyber & Intelligence reported novel samples of the LODEINFO backdoor consistent with ongoing development of the malware, which has been attributed to APT10. The backdoor, attributed to China-nexus APT10, has been targeting Japanese entities with LODEINFO since at least 2021, employing a spear-phishing attack vector and utilizing malicious Word documents predominantly weaponized with Visual Basic Scripts.
The backdoor is actively updated, and recent features include:
Removal of checks for Japanese-language environments, suggesting a broader geographical targeting scope.
Recent implementations include template injection which enables the threat actor to retrieve and execute macros when the victim opens the malicious attachment.
The macro executes a shellcode which is ultimately responsible for loading the LODEINFO backdoor. In some cases, researchers observed the backdoor being loaded via a deceptive file masquerading as a Privacy-Enhanced Mail.
The infection chain culminates with the backdoor is loaded directly into memory.