ESET Research uncovers Operation AkaiRyū: China-aligned MirrorFace targets European diplomats using Expo 2025 as a lure
Created: 2025-03-19 03:26:50
- ESET discovered a cyberespionage operation by the China-aligned MirrorFace advanced persistent threat (APT) group against a Central European diplomatic institute in relation to upcoming Expo 2025 in Japan.
- MirrorFace has refreshed both its tooling and tactics, techniques, and procedures (TTPs).
- To our knowledge, this represents the first time that MirrorFace has targeted a European entity.
- MirrorFace has started using ANEL, a backdoor previously associated exclusively with APT10, and deployed a heavily customized variant of AsyncRAT, using a complex execution chain to run it inside Windows Sandbox.
BRNO, BRATISLAVA — March 18, 2025 — ESET researchers have detected cyberespionage activity carried out by the China-aligned MirrorFace APT group against a Central European diplomatic institute in relation to Expo 2025, which will be held this year in Osaka, Japan. Known primarily for its cyberespionage activities against organizations in Japan, to the best of our knowledge, this is the first time MirrorFace has shown intent to infiltrate a European entity. The campaign was uncovered in Q2 and Q3 of 2024 and named Operation AkaiRyū (Japanese for RedDragon) by ESET; it showcases refreshed TTPs that ESET Research observed throughout last year.
“MirrorFace targeted a Central European diplomatic institute. To our knowledge, this is the first, and, to date, only time MirrorFace has targeted an entity in Europe,” says ESET researcher Dominik Breitenbacher, who investigated the AkaiRyū campaign.
MirrorFace operators set up their spearphishing attack by crafting an email message that references a previous, legitimate interaction between the institute and a Japanese NGO. During this attack, the threat actor used the upcoming World Expo 2025 – to be held in Osaka, Japan – as a lure. This further shows that even considering this new broader geographic targeting, MirrorFace remains focused on Japan and events related to it. Before the attack on this European diplomatic institute, MirrorFace targeted two employees at a Japanese research institute, using a malicious, password-protected Word document delivered in an unknown manner.
During the analysis of Operation AkaiRyū, ESET discovered that MirrorFace has significantly refreshed its TTPs and tooling. MirrorFace started using ANEL (also referred to as UPPERCUT) – a backdoor considered exclusive to APT10 – that was believed to be abandoned years ago; however, the latest activity strongly suggest that the development of ANEL has restarted. ANEL supports basic commands for file manipulation, payload execution, and taking screenshots.
“The use of ANEL also provides further evidence in the ongoing debate about the potential connection between MirrorFace and APT10. The fact that MirrorFace has started using ANEL, along with the other previously identified information, such as similar targeting and malware code similarities, led us to make a change in our attribution: we now believe that MirrorFace is a subgroup under the APT10 umbrella,” adds Breitenbacher.
Additionally, MirrorFace deployed a heavily customized variant of AsyncRAT, embedding this malware into a newly observed, intricate execution chain that runs the RAT inside Windows Sandbox. This method effectively obscures the malicious activities from security controls abilities to detect the compromise. In parallel to the malware, MirrorFace also started deploying Visual Studio Code (VS Code) to abuse its remote tunnels feature. Remote tunnels enable MirrorFace to establish stealthy access to the compromised machine, execute arbitrary code, and deliver other tools. Finally, MirrorFace has continued to employ its current flagship backdoor, HiddenFace, further bolstering persistence on compromised machines.
Between June and September 2024, ESET observed MirrorFace conducting multiple spearphishing campaigns. Based on ESET data, the attackers primarily gained initial access by tricking targets into opening malicious attachments or links, then they leveraged legitimate applications and tools to stealthily install their malware. Specifically, in Operation AkaiRyū, MirrorFace abused both McAfee-developed applications and also one developed by JustSystems to run ANEL. ESET was unable to determine how MirrorFace exported the data, and whether or how the data was exfiltrated.
ESET Research collaborated with the affected Central European diplomatic institute and performed a forensic investigation. The close collaboration with the affected organization provided a rare, in-depth view of post-compromise activities that would have otherwise gone unseen. ESET Research presented the results of this analysis at the Joint Security Analyst Conference (JSAC) in January 2025.
For a more detailed analysis and technical breakdown of MirrorFace’s Operation AkaiRyū, check out the latest ESET Research blogpost “Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
MirrorFace’s AsyncRAT execution chain
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.