Chinese APT Group MirrorFace Targets European Diplomatic Institute Ahead of Expo 2025
The Chinese state-sponsored hacking group MirrorFace, also known as Earth Kasha, has been observed targeting a Central European diplomatic institute in a cyber espionage campaign linked to the upcoming Expo 2025 event in Osaka, Japan, according to cybersecurity firm ESET.
MirrorFace operates under the APT10 umbrella, a well-known China-linked advanced persistent threat (APT) group that has primarily focused on Japanese organizations in the past. Its usual targets include Japan’s Foreign and Defense ministries, space agency, politicians, journalists, private companies, and think tanks.
This campaign, dubbed Operation AkaiRyū (Japanese for RedDragon), marks the first documented MirrorFace attack against a European organization. The attack has revealed new tactics, techniques, and procedures (TTPs), as well as the use of updated hacking tools by the group.
MirrorFace has incorporated Anel (also known as Uppercut), a signature backdoor of APT10, alongside a customized version of AsyncRAT. The attack was initiated through spearphishing emails containing malicious attachments, a method commonly used to gain initial access.
Connection to APT10 Strengthened
The use of Anel reinforces the theory that MirrorFace is a subgroup of APT10, as the backdoor is exclusive to Chinese state-sponsored cyber operations, ESET notes.
Between June and September 2024, MirrorFace carried out multiple attacks, deploying a range of malware and hacking techniques. Initially, Anel was used for system infiltration. The group also deployed a customized AsyncRAT, which was executed in Windows Sandbox to evade detection. Additionally, they leveraged VS Code’s remote tunnel feature to maintain undetected network access.
As the attack progressed, MirrorFace deployed HiddenFace, the group’s primary backdoor, to establish long-term persistence on compromised systems. Interestingly, in 2024, the hackers did not use their previously known LodeInfo backdoor, marking a shift in their attack strategy.
Targeted Attacks and Techniques Used
In June 2024, MirrorFace launched an attack on two employees at a Japanese research institute, using a signed McAfee executable to load Anel onto their systems.
By August 2024, the group expanded its focus to a Central European diplomatic institute, using a malicious OneDrive link to trigger an Anel infection.
The attack chain involved:
- Anelldr, an Anel loader.
- HiddenFace, a secondary backdoor for persistent access.
- FaceXInjector, a loader for HiddenFace.
- AsyncRAT, delivered through multiple files and executed inside Windows Sandbox.
- Hidden Start, a tool used to bypass User Account Control (UAC) security measures.
Data Theft and Network Infiltration
During the attack, MirrorFace successfully exfiltrated sensitive data from one system, including:
- Contact lists.
- Autofill data from web browsers.
- Search keywords.
- Stored credit card information from Chrome.
On a second compromised system, the attackers deployed additional tools to gain deeper access into the diplomatic network, which could allow long-term surveillance and further cyber espionage activities.
Expo 2025 Used as a Lure
The Expo 2025 event in Osaka, Japan, was used as a social engineering lure to trick victims into opening malicious documents. Despite the group's expanded geographic targeting, the focus on Japan-related events remains evident.
This campaign highlights the growing threat of state-sponsored cyber espionage ahead of major international events and underscores the need for stronger cybersecurity measures among diplomatic and governmental organizations.
