The China-aligned APT group has conducted a cyber-espionage operation against a diplomatic institute in Central Europe, marking its first known attack on the continent. The action was carried out using advanced spearphishing techniques
Milan, 18 March 2025 – The researchers of ESET, a global European leader in the cybersecurity market, have identified a cyber-espionage operation conducted by the China-aligned APT MirrorFace group against a Central European diplomatic institute taking advantage of Expo 2025 taking place this year in Osaka, Japan.
Known mainly for its cyber espionage activities against Japanese organizations, MirrorFace appears to have turned its attention to a diplomatic institution in Europe for the first time. The campaign, discovered between the second and third quarters of 2024, was dubbed Operation AkaiRyū (Japanese for Red Dragon) and revealed a significant update to the group's tactics, techniques and procedures (TTPs).
"MirrorFace has targeted a diplomatic institution in Central Europe. To our knowledge, this is the first and so far only time that this group has targeted a diplomatic institution in Europe," says Dominik Breitenbacher, a researcher at ESET who analyzed the AkaiRyū campaign.
MirrorFace attackers orchestrated a spearphishing attack, creating an email that simulated a previous legitimate interaction between the diplomatic institute and a Japanese NGO. The decoy message exploited the Expo 2025 event in Osaka, confirming that despite the new geographical focus, MirrorFace continues to focus on Japan-related objectives.
Before targeting the European diplomatic institute, the group had already targeted two employees of a Japanese research institute, sending them a malicious password-protected Word document, although the delivery method of the file remains unknown.
While analyzing Operation AkaiRyū, ESET found that MirrorFace has significantly updated its tools and techniques. The group began using ANEL (also known as UPPERCUT), a backdoor previously considered exclusive to APT10 and believed to have been abandoned for years. However, more recent activities strongly suggest that its development has resumed. ANEL allows the execution of basic commands for manipulating files, executing payloads and taking screenshots.
"The use of ANEL provides further elements in the ongoing debate on the possible connection between MirrorFace and APT10. The fact that MirrorFace has started using ANEL, together with other information that has already emerged - such as the similarity in malware targets and code - has led us to revise our attribution: we now believe that MirrorFace is a subgroup of APT10," adds Breitenbacher.
Furthermore, MirrorFace distributed a highly customized variant of AsyncRAT, embedding this malware into a recently observed, complex execution chain, which executes it inside the Windows Sandbox. This method effectively masks malicious activity, making it difficult for security audits to detect.
In addition to the malware, MirrorFace has started leveraging Visual Studio Code (VS Code) to abuse the remote tunnels feature. This technique allows the group to establish stealthy access to the compromised system, execute arbitrary code, and distribute additional tools. Finally, MirrorFace continued to use its current flagship backdoor, HiddenFace, further strengthening persistence on compromised devices.
Between June and September 2024, ESET observed multiple spearphishing campaigns conducted by MirrorFace. According to the data collected, attackers gained initial access by tricking victims into opening malicious attachments or links, then exploiting legitimate applications and tools to stealthily install the malware. As part of Operation AkaiRyū, MirrorFace abused both applications developed by McAfee and an application built by JustSystems to run ANEL. However, ESET was unable to determine with certainty how the data was exported or whether or how it was exfiltrated.
ESET Research collaborated with the Central European diplomatic institute affected by the attack, conducting an in-depth forensic analysis. This close collaboration has allowed us to gain in-depth insight into post-compromise activities, which are usually difficult to detect. The results of the analysis were presented in January 2025 during the Joint Security Analyst Conference (JSAC).
For a more detailed technical analysis on Operation AkaiRyū, please see the ESET Research blog post “Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor” are WeLiveSecurity.com and follow ESET Research su Twitter (X time) for updates on the latest ESET research news.
