ESET researchers have uncovered a new cyberespionage campaign, Operation AkaiRyū (translated as RedDragon), carried out by the China-aligned advanced persistent threat (APT) group MirrorFace.
Traditionally focused on Japan, the observed campaign is notable for its expansion into Europe, specifically targeting a Central European diplomatic institute in connection with Expo 2025, a major international event scheduled to take place in Osaka, Japan. This marks the first known instance of MirrorFace targeting a European entity.
MirrorFace, also known as Earth Kasha, has been active since at least 2019 and has previously targeted Japanese organizations, including media outlets, defense-related companies, think tanks, diplomatic entities, financial institutions, and academic institutions. The group primarily engages in espionage, focusing on exfiltrating sensitive data. It is the only known APT group using the LODEINFO and HiddenFace backdoors.
In Operation AkaiRyū, the group has changed its tactics, techniques, and procedures (TTPs), returning to the ANEL backdoor, previously believed to have been abandoned after 2018.
In August 2024, the group initiated a spearphishing attack against a Central European diplomatic institute in relation to Expo 2025. The spearphishing emails were crafted to appear legitimate, referencing the upcoming Expo event in Japan. After engaging the target, MirrorFace sent a malicious link that led to a ZIP archive containing an LNK file disguised as a Word document. Opening the LNK file initiated a complex malware compromise chain.
A notable aspect of this campaign was the revival of the ANEL backdoor, previously associated with APT10. The backdoor had been considered obsolete, but its use in the observed attack suggests that its development was renewed, with updated versions (5.5.0 and 5.5.4) surfacing in 2024. The use of ANEL strengthens the connection between MirrorFace and APT10, with shared tools and similar targeting behaviors now leading researchers to classify MirrorFace as a subgroup under APT10.
In addition to ANEL, MirrorFace deployed a heavily customized version of AsyncRAT. This Remote Access Trojan (RAT) was integrated into a new, intricate execution chain that involved running the RAT inside a Windows Sandbox.
MirrorFace started using VS Code's remote tunnels feature, allowing the attackers to establish covert access to compromised systems. This enables them to execute arbitrary code and install additional malware, further obscuring their activities.
The group continued using its flagship backdoor called ‘HiddenFace’, to ensure persistence on compromised machines. HiddenFace was deployed in later stages of the attack, alongside ANEL, which was used as the initial point of compromise.
MirrorFace's primary method of gaining initial access in 2024 involved spearphishing. The attackers crafted email messages that appeared to come from trusted sources, often referring to legitimate interactions or events, such as Expo 2025. Once the target engaged with the emails, malicious attachments or links were sent, leading to further compromise.
The attackers used tools like McAfee's signed executables and JustSystems applications to deliver ANEL into memory. In one case, the malicious Word document contained VBA code that was triggered by a mouseover event, enabling the installation of ANEL.
Once the target clicked on the malicious attachment, a multi-stage process was triggered. The LNK file ran PowerShell commands that dropped additional files, including a Word document that loaded a malicious template containing VBA code. The code then executed the ANEL backdoor, allowing the attackers to gain control of the compromised machine.
