ESET researchers have detected cyberespionage activity carried out by the China-aligned MirrorFace APT group against a Central European diplomatic institute in relation to Expo 2025, which will be held this year in Osaka, Japan. Known primarily for its cyberespionage activities against organizations in Japan, to the best of our knowledge, this is the first time MirrorFace has shown intent to infiltrate a European entity. The campaign was uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon) by ESET; it showcases refreshed TTPs that ESET Research observed throughout last year.
“MirrorFace targeted a Central European diplomatic institute. To our knowledge, this is the first, and, to date, only time MirrorFace has targeted an entity in Europe,” says ESET researcher Dominik Breitenbacher, who investigated the AkaiRyū campaign.
MirrorFace operators set up their spearphishing attack by crafting an email message that references a previous, legitimate interaction between the institute and a Japanese NGO. During this attack, the threat actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This further shows that even considering this new broader geographic targeting, MirrorFace remains focused on Japan and events related to it. Before the attack on this European diplomatic institute, MirrorFace targeted two employees at a Japanese research institute, using a malicious, password-protected Word document delivered in an unknown manner.
During the analysis of Operation AkaiRyū, ESET discovered that MirrorFace has significantly refreshed its TTPs and tooling. MirrorFace started using ANEL (also referred to as UPPERCUT) – a backdoor considered exclusive to APT10 – that was believed to be abandoned years ago; however, the latest activity strongly suggest that the development of ANEL has restarted. ANEL supports basic commands for file manipulation, payload execution, and taking screenshots.
“The use of ANEL also provides further evidence in the ongoing debate about the potential connection between MirrorFace and APT10. The fact that MirrorFace has started using ANEL, along with the other previously identified information, such as similar targeting and malware code similarities, led us to make a change in our attribution: we now believe that MirrorFace is a subgroup under the APT10 umbrella,” adds Breitenbacher.
Additionally, MirrorFace deployed a heavily customized variant of AsyncRAT, embedding this malware into a newly observed, intricate execution chain that runs the RAT inside Windows Sandbox. This method effectively obscures the malicious activities from security controls abilities to detect the compromise. In parallel to the malware, MirrorFace also started deploying Visual Studio Code (VS Code) to abuse its remote tunnels feature. Remote tunnels enable MirrorFace to establish stealthy access to the compromised machine, execute arbitrary code, and deliver other tools. Finally, MirrorFace has continued to employ its current flagship backdoor, HiddenFace, further bolstering persistence on compromised machines.
Between June and September 2024, ESET observed MirrorFace conducting multiple spearphishing campaigns. Based on ESET data, the attackers primarily gained initial access by tricking targets into opening malicious attachments or links, then they leveraged legitimate applications and tools to stealthily install their malware. Specifically, in Operation AkaiRyū, MirrorFace abused both McAfee-developed applications and also one developed by JustSystems to run ANEL. ESET was unable to determine how MirrorFace exported the data, and whether or how the data was exfiltrated.
ESET Research collaborated with the affected Central European diplomatic institute and performed a forensic investigation. The close collaboration with the affected organization provided a rare, in-depth view of post-compromise activities that would have otherwise gone unseen. ESET Research presented the results of this analysis at the Joint Security Analyst Conference (JSAC) in January 2025.
