MirrorFace (G1054) - PRC-Aligned Cyberespionage Group with Evolving TTPs
- Suspected Origin
- People's Republic of China
- Motivation
- Espionage, Intelligence Collection, Data Theft
- Aliases
- Earth Kasha
- Target Sectors
- Media, Defense, Diplomatic, Financial, Manufacturing, Academic, Government Agencies, Research Institutions, Think Tanks, Technology Firms, Public Institutions
- Associated Malware
- LODEINFO, HiddenFace, UPPERCUT (ANEL), AsyncRAT, MirrorStealer, Cobalt Strike, GOSICLOADER, SharpHide, FaceXInjector, GO Simple Tunnel (GOST), RoamingMouse, ANELLDR
Overview
MirrorFace, identified by its MITRE ATT&CK ID G1054, is a persistent and sophisticated cyberespionage group strongly aligned with the People’s Republic of China (PRC). Also known by the alias Earth Kasha, this threat actor is believed to operate as a subgroup under the broader APT10 (menuPass) umbrella, a connection reinforced by observed overlaps in targeting, tools, and infrastructure. MirrorFace has maintained an active presence in the threat landscape since at least 2019, primarily driven by motivations of cyberespionage, intelligence collection, and the exfiltration of sensitive data.
Initially, MirrorFace’s operations were almost exclusively focused on Japanese organizations, spanning critical sectors such as media, defense, diplomatic institutions, finance, manufacturing, and academia. However, intelligence gathered from recent campaigns indicates a strategic expansion of their targeting beyond Japan, now including entities in Central Europe, Taiwan, and India, particularly government agencies, public institutions, and technology firms. This geographic diversification highlights MirrorFace’s adaptable nature and its continued commitment to fulfilling state-sponsored intelligence requirements.
Tactics & Techniques
MirrorFace employs a wide array of tactics, techniques, and procedures (TTPs) designed for stealthy intrusion, persistence, and data exfiltration. Their initial access typically involves meticulously crafted spear-phishing campaigns. These emails often contain malicious attachments, such as weaponized Microsoft Word or Excel documents, LNK files, or self-extracting (SFX) archives, sometimes password-protected, or they embed OneDrive URLs leading to malicious payloads. More recently, they have also leveraged exploits against vulnerabilities in public-facing applications and edge devices, including those associated with Fortigate, Array AG, and Proself.
Upon successful initial compromise, MirrorFace utilizes various execution methods. These include the use of malicious VBA macros, DLL sideloading by abusing legitimately signed executables (e.g., from McAfee or JustSystems), leveraging MSBuild with tools like FaceXInjector, and employing Windows Management Instrumentation (WMIC) for proxy execution. They also make use of native Windows tools like PowerShell and cmd.exe for command execution.
For defense evasion, MirrorFace exhibits considerable sophistication. They perform DLL sideloading, abuse digital signature verification mechanisms to append encrypted data to signed binaries, and disguise their malware payloads as legitimate files or use double file extensions like .docx.lnk. Their malware often dynamically resolves Windows APIs, restricts DLL loading to Microsoft-signed ones, and incorporates random sleep intervals to evade sandbox analysis. They also implement checks for analysis tools and debuggers, employ mutexes to ensure single instance execution, and have been observed deleting directories and tools post-compromise during operations like AkaiRyū to cover their tracks.
Discovery and reconnaissance activities involve native Windows tools such as csvde.exe, nltest.exe, quser.exe, ipconfig, Tasklist, systeminfo, and net config Workstation to enumerate system and network configurations. They also extensively search for files with specific extensions including .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf, and collect system information, user details, and screenshots. Lateral movement has been observed utilizing Visual Studio Code’s remote tunnels feature since 2024, a technique also seen with other China-aligned APT groups.
For command and control (C2), MirrorFace typically employs standard web protocols like HTTP and HTTPS, often with custom headers or cookies. They have also used custom TCP protocols, domain generation algorithms (DGAs), and DNS over HTTPS (DoH) to obscure C2 communications. To further enhance stealth, they may use proxy tools such as GO Simple Tunnel (GOST). C2 communications and internal malware modules are frequently encrypted using algorithms like Blowfish, AES, ChaCha20, XOR, LZO, and RSA-2048. Data exfiltration is performed via methods like SFTP, direct upload to C2, and through specialized credential stealers.
Notable Campaigns
MirrorFace has been associated with several significant cyberespionage campaigns demonstrating their evolving capabilities and targeting shifts:
- Operation LiberalFace (June 2022): This campaign specifically targeted Japanese political entities in the run-up to national elections. MirrorFace distributed spear-phishing emails containing their LODEINFO backdoor, which was then used to deploy additional malware, steal credentials using a tool dubbed MirrorStealer, and exfiltrate documents and emails. Researchers noted some operational sloppiness during this campaign, leaving detectable traces.
- Operation AkaiRyū (June-September 2024): Translated as “RedDragon,” this operation marked MirrorFace’s first known targeting of a European entity, specifically a Central European diplomatic institute, using the upcoming World Expo 2025 in Osaka, Japan, as a lure. The campaign also targeted a Japanese research institute. Operation AkaiRyū showcased a significant refresh in MirrorFace’s TTPs and tooling, including the revival of the ANEL (UPPERCUT) backdoor, the deployment of a heavily customized AsyncRAT variant executed within Windows Sandbox, and the use of VS Code’s remote tunnels for stealthy access and code execution.
- March 2025 Campaign: Recent intelligence indicates MirrorFace conducted a campaign in March 2025 that focused on government agencies and public institutions in Taiwan and Japan. This campaign leveraged spear-phishing to deliver an updated version of the ANEL backdoor, indicating ongoing development and adaptation of their established malware arsenal.
- Vulnerability Exploitation (2023): In 2023, MirrorFace shifted some of its initial access tactics to exploit vulnerabilities in public-facing applications on edge devices, including Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and FortiOS/FortiProxy (CVE-2023-27997). This demonstrates their willingness to diversify initial compromise vectors beyond traditional spear-phishing.
Associated Malware & Tools
MirrorFace maintains a diverse and continuously evolving malware arsenal, some of which are exclusive to the group:
- LODEINFO: This is considered MirrorFace’s flagship backdoor and has been under continuous development since its first appearance around December 2019. It is a fileless malware with extensive capabilities including arbitrary shellcode execution, taking screenshots, keylogging, process termination, file exfiltration, execution of additional files, and even encryption of specified files and folders. LODEINFO utilizes a combination of AES and Base64 for data encryption and has recently been updated to support the execution of Beacon Object Files (BOF) in memory.
- HiddenFace (aka NOOPDOOR): Developed and used exclusively by MirrorFace since at least 2021, HiddenFace is a highly sophisticated, modular backdoor. It supports both active and passive command-and-control (C2) modes, employs a Domain Generation Algorithm (DGA) and a custom TCP protocol over port 443, and reconfigures the Windows firewall for persistence. HiddenFace’s modules are AES-encrypted and it incorporates numerous anti-detection and anti-analysis techniques, such as dynamic API resolution, restricting DLL loading, random sleep intervals, and checking for analysis tools.
- UPPERCUT (aka ANEL): Originally associated with APT10, MirrorFace revived this 32-bit HTTP-based backdoor in 2024. UPPERCUT is a versatile backdoor capable of bypassing User Account Control (UAC), executing commands via
cmd.exe, performing file uploads and downloads, capturing desktop screenshots, and collecting system and user information. It uses various encryption algorithms like Blowfish, ChaCha20, XOR, and LZO for C2 communications. Its deployment often involves DLL sideloading through legitimate signed applications. - AsyncRAT: MirrorFace has deployed a heavily customized variant of AsyncRAT, often running it within a Windows Sandbox for enhanced stealth and evasion.
- MirrorStealer: This is a credential-stealing malware specifically observed in Operation LiberalFace, capable of extracting credentials from browsers and email clients.
- Cobalt Strike: MirrorFace has been seen utilizing Cobalt Strike, a legitimate penetration testing tool often abused by threat actors for post-exploitation activities, sometimes loaded via a custom Go-written shellcode loader dubbed GOSICLOADER.
- SharpHide: This open-source tool has been leveraged by MirrorFace to launch the NOOPDOOR (HiddenFace) backdoor.
- FaceXInjector: An injection tool used in conjunction with HiddenFace.
- GO Simple Tunnel (GOST): A proxy tool used by MirrorFace for C2 communications.
- RoamingMouse: A dropper malware, often delivered as a macro-enabled Excel file, observed in recent campaigns targeting Japan and Taiwan.
- ANELLDR: A loader associated with the ANEL backdoor, observed in recent campaigns.
Current Status
MirrorFace remains an active and evolving cyberespionage threat. Intelligence from April and May 2026, including updates to their MITRE ATT&CK entries, confirms their ongoing status. Recent campaigns, such as those observed in March 2025 targeting government agencies and public institutions in Taiwan and Japan, and Operation AkaiRyū in Q2/Q3 2024, underscore their continuous operational tempo and adaptive nature.
The group consistently refreshes its TTPs and tooling, incorporating new malware variants and adapting existing ones to maintain effectiveness and evade detection. Their consistent focus on Japan and expanding interests in Central Europe, Taiwan, and India indicate that organizations in these regions, particularly those in government, defense, diplomatic, and research sectors, must maintain a high level of vigilance against MirrorFace’s sophisticated and evolving espionage activities.
Related content
Carbanak Threat Profile: Financial Apex Predators
Adversary ProfileDeep Panda (G0009) Threat Actor Profile: A Persistent Chinese Espionage Group
Adversary ProfileAPT29 (Midnight Blizzard / Cozy Bear): Russian SVR's Elite Cyber Espionage Unit
Adversary ProfileAPT17 (Deputy Dog): A Persistent Chinese Cyber Espionage Threat
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call