MirrorFace APT: A Persistent Cyber Threat Targeting Japan

A Long-Running Espionage Operation

Japan's cybersecurity landscape has faced an ongoing challenge in the form of MirrorFace APT, a sophisticated cyber-espionage group believed to have ties to China. This threat actor has been orchestrating targeted attacks since at least 2019, focusing its efforts on infiltrating organizations, businesses, and high-profile individuals across Japan. Authorities from the National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have pointed to MirrorFace as a major player in cyber operations aimed at gathering intelligence linked to national security and technological advancements.

MirrorFace and Its Connections to APT10

MirrorFace, also known as Earth Kasha, is considered an affiliate of the larger APT10 group, which has a history of conducting cyber-espionage activities against multiple nations. The group has utilized an array of custom and publicly available tools to execute its operations, including ANEL, LODEINFO, and NOOPDOOR (also referred to as HiddenFace).

The threat group is known for employing spear-phishing tactics and exploiting security vulnerabilities to infiltrate targeted systems. While Japan remains the primary focus, its operations have also been observed in Taiwan and India, suggesting a broader strategic interest.

Campaigns Unfolding Over Time

MirrorFace's activities have been categorized into three distinct campaigns, each employing specific techniques and tools to breach networks and exfiltrate data:

Targeting Political and Media Entities (2019–2023)

The first major campaign, spanning from December 2019 to July 2023, focused on political institutions, media outlets, government bodies, and research organizations. By deploying spear-phishing emails, the attackers distributed malicious payloads such as LODEINFO, NOOPDOOR, and a customized variant of Lilith RAT (LilimRAT), designed for information gathering and remote access.

Exploiting Security Weaknesses in Critical Industries (2023)

A second wave of attacks occurred between February and October 2023, shifting attention to industries critical to Japan's economic and technological infrastructure. Sectors such as semiconductor manufacturing, communications, aerospace, and academia were primary targets. This phase involved the exploitation of known vulnerabilities in internet-facing devices, particularly those associated with Array Networks, Citrix, and Fortinet. By leveraging these weaknesses, attackers deployed tools like Cobalt Strike Beacon, LODEINFO, and NOOPDOOR to gain a foothold within corporate networks.

Recent Tactics and Adaptation (2024–Present)

The latest known campaign, which emerged in June 2024, has once again focused on academia, research institutions, political figures, and media personnel. Spear-phishing remains the primary method of entry, with attackers delivering ANEL (also called UPPERCUT) to compromise systems and establish persistent access.

Advanced Techniques for Stealth and Persistence

MirrorFace has demonstrated an ability to adapt its tactics to bypass modern security measures. One of its notable techniques involves using Visual Studio Code remote tunnels, which allows the group to maintain covert control over compromised systems while evading detection.

Additionally, the group has been observed executing malicious payloads within Windows Sandbox, a feature designed for safe application testing. By running harmful code in this isolated environment, the attackers ensure that traces of their activities disappear when the system is restarted, preventing forensic analysis from uncovering crucial evidence.

Implications for Cybersecurity and Defense

The continued operations of MirrorFace highlight the evolving cyber threats facing Japan and the wider Asia-Pacific region. Given the group's focus on national security, technology, and industry, its activities could have significant implications for both governmental policies and private-sector security strategies.

Organizations operating in high-risk sectors must remain vigilant and adopt proactive cybersecurity measures to counter such threats. This includes strengthening email security, regularly updating software to patch known vulnerabilities, and deploying advanced detection tools capable of identifying unusual network activity.

A Continuing Cyber Conflict

The activities of MirrorFace APT underline the persistent nature of cyber espionage and the importance of coordinated cybersecurity efforts. While authorities have been able to track and analyze the group's methods, the ongoing challenge remains in mitigating its impact and staying ahead of future attacks. As threat actors continue refining their techniques, nations, and organizations must enhance their defenses to protect sensitive information from unauthorized access.

By Willa
January 10, 2025
Malware
English
January 10, 2025
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Advanced Persistent Threat (APT)

Gelsemium APT

Gelsemium is an Advanced Persistent Threat (APT) group whose campaigns can be traced back to 2014. The criminals use a wide range of malware, including a custom-built implant called Gelsevirine. They have been behind... Read more

June 10, 2021
Malware

The Gomir Backdoor Threat Deployed by an Advanced Persistent Threat Initiating Korean Cyberattacks

The Kimsuky advanced persistent threat (APT) group, also known as Springtail, has launched a new cyber espionage campaign. This group, linked to North Korea's Reconnaissance General Bureau (RGB), is now deploying a... Read more

May 17, 2024
Browser Hijacker

Thekyloes.com: Understanding the Persistent Notification Threat

Recently, many users have encountered intrusive pop-up notifications on their devices, urging them to enable push notifications from a website known as Thekyloes.com. While this site may seem harmless initially, it... Read more

June 18, 2024
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.