Listen to this Post
A New Frontier in Cyber Espionage
The Chinese state-sponsored cyber threat group MirrorFace, also known as Earth Kasha, has been detected targeting a Central European diplomatic institute, according to cybersecurity firm ESET. This marks the group’s first known attack against a European entity, signaling a shift in its operations. Traditionally focused on Japanese governmental and private sector organizations, MirrorFace is believed to be a subgroup of APT10, a well-documented Chinese cyber espionage collective.
The attack, dubbed Operation AkaiRyū (Red Dragon), utilized a combination of spearphishing emails, sophisticated malware, and remote access tools. The group leveraged both older and newly developed hacking techniques, demonstrating an evolving arsenal. One of the key lures used in the attack was the upcoming Expo 2025 in Osaka, Japan, suggesting a continued focus on Japanese-related targets.
MirrorFace’s Advanced Attack Tactics
The cyber operation took place between June and September 2024, and researchers identified the following key attack strategies and tools:
- Use of Anel Backdoor: This malware, also known as Uppercut, was previously associated with APT10. Its presence in this attack further reinforces the theory that MirrorFace is a subgroup of APT10.
- Customized AsyncRAT Deployment: A variant of the AsyncRAT remote access Trojan was used within Windows Sandbox, an uncommon technique that enhances stealth and persistence.
- Exploitation of Microsoft OneDrive: Attackers embedded malicious links in OneDrive, directing victims to an Anel-infected file.
- HiddenFace Backdoor for Long-Term Access: This advanced malware was deployed in the later stages of the attack to maintain deep persistence.
- VS Code Tunnels for Remote Execution: The group leveraged Visual Studio Code’s remote access capabilities, allowing them to execute code discreetly.
- Signed McAfee Executable Misuse: In an earlier attack targeting a Japanese research institute, MirrorFace used a legitimate McAfee executable to sideload the Anel backdoor, a classic DLL sideloading attack.
The Breach and Its Consequences
In August 2024, MirrorFace successfully breached a Central European diplomatic institute, stealing contact information, browser autofill data, stored credit card details, and sensitive documents. Additionally, they installed multiple tools on a second system to establish deeper access within the network.
This attack highlights a few major concerns:
- Expansion of Chinese Cyber Operations Beyond Asia – While Japan remains a primary target, European institutions are now at risk.
- Advanced Malware Execution Techniques – The use of Windows Sandbox and legitimate software abuse (McAfee, VS Code) makes detection more challenging.
- Persistent Espionage Campaigns – The integration of old and new malware tools suggests long-term intelligence gathering.
What Undercode Says:
China’s Cyber Strategy: APT10’s Evolution and MirrorFace’s Role
APT10, one of China’s most notorious cyber espionage groups, has been active for over a decade, primarily targeting Japan and Western organizations. The emergence of MirrorFace as a subdivision of APT10 suggests a refinement of tactics rather than a departure from their core mission.
Key Takeaways on MirrorFace’s Evolution:
– Geopolitical Focus on Japan-Related Entities
Despite targeting a European entity, the choice of Expo 2025 as a lure shows a continued focus on Japanese interests. This aligns with China’s broader strategic objectives in the Asia-Pacific region.
– Increased Use of Advanced Stealth Techniques
The deployment of malware via Windows Sandbox is particularly notable. This technique is not commonly observed among Chinese APTs and signals a growing emphasis on evasion.
– Reliance on APT10’s Legacy Tools
The return of Anel (Uppercut) is significant. Since it is exclusive to APT10, its usage by MirrorFace reinforces the idea that these subgroups share resources and strategies.
– New Targeting Patterns Could Indicate Expansion
While APT10 has historically focused on Japan, the U.S., and major corporations, MirrorFace’s attack on a European diplomatic institute suggests a possible expansion into EU territories. If confirmed, this could reshape the threat landscape for European governmental entities.
– Potential for Future Attacks on International Events
MirrorFace’s use of Expo 2025 as bait suggests that international events may become a recurring theme in cyber espionage. Organizations involved in global summits, trade expos, and diplomatic meetings should expect heightened risks.
Why This Matters for Cybersecurity Experts
The MirrorFace attack underscores the ongoing threat posed by Chinese state-sponsored cyber operations. Cybersecurity teams in government agencies and private enterprises should take preemptive measures, such as:
✔ Strengthening email security to detect spearphishing attempts
✔ Deploying behavior-based malware detection to counter sophisticated RATs
✔ Monitoring OneDrive and cloud-based services for unusual activity
✔ Restricting remote access tools like VS Code tunnels in high-security environments
As geopolitical tensions persist, Chinese APTs will continue refining their tactics. Organizations worldwide must stay vigilant and proactive to mitigate these evolving threats.
Fact Checker Results
✔ MirrorFace’s affiliation with APT10 is strongly supported by malware similarities, especially with the Anel backdoor.
✔ ESET’s report confirms the first known European targeting by MirrorFace, but further evidence is needed to determine the full extent of its operations in the region.
✔ The use of Expo 2025 as a phishing lure aligns with past Chinese APT tactics, which often exploit major events to enhance their attack success rates.
References:
Reported By: https://www.securityweek.com/chinese-hacking-group-mirrorface-targeting-europe/
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





