In August 2024, cyberespionage activity was detected by ESET researchers involving the China-aligned MirrorFace advanced persistent threat (APT) group targeting a Central European diplomatic institute in relation to Expo 2025 in Osaka, Japan. This marked the first known instance of MirrorFace targeting a European entity, as the group is typically focused on organizations in Japan. The campaign, named Operation AkaiRyū, revealed the group’s new tactics, techniques, and procedures (TTPs), including the use of new tools like the customized AsyncRAT and the resurrection of ANEL, a backdoor associated with APT10, as well as a complex execution chain.
During the investigation of the diplomatic institute case, ESET researchers collaborated with the affected institute to conduct a forensic analysis. The findings from this investigation were presented at the Joint Security Analyst Conference (JSAC) in January 2025. The analysis highlighted the post-compromise activities of MirrorFace, shedding light on the group’s methods and tools.
MirrorFace, also known as Earth Kasha, has been active since at least 2019 and is primarily focused on espionage and exfiltration of files of interest. The group has targeted various entities such as media, defense-related companies, think tanks, diplomatic organizations, financial institutions, academic institutions, and manufacturers. In previous activities leading up to the Operation AkaiRyū attacks, MirrorFace targeted Japanese political entities in a spearphishing campaign.
The use of ANEL, a backdoor previously associated with APT10, and the deployment of a heavily customized variant of AsyncRAT within Windows Sandbox were among the key elements of MirrorFace’s operations in 2024. The group also abused the remote tunnels feature of Visual Studio Code to establish access to compromised machines. Additionally, HiddenFace, another backdoor used by MirrorFace, was deployed in the later stages of the attack to maintain persistence.
The Operation AkaiRyū attacks began with carefully crafted spearphishing emails designed to lure recipients into opening malicious attachments or clicking on links. The investigation uncovered the use of legitimate applications and tools to stealthily install malware, with MirrorFace focusing on Japan while also expanding its targeting to a Central European diplomatic institute for the first time.
The forensic analysis of the compromise revealed detailed insights into MirrorFace’s post-compromise activities, showcasing the deployment of various tools and malware on compromised machines. The group selectively deployed tools based on the roles of the targeted employees, aiming to steal personal data and gain network access.
In conclusion, the Operation AkaiRyū attacks exemplify