The China-related threats, known as MirrorFace, have been seen targeting a diplomatic organization in the European Union, marking the first time a hacking team has targeted an organization in the region.
“During this attack, the threat actor used the upcoming World Expo 2025 in Osaka, Japan as bait,” ESET said in a statement. said in its report on APT activities for the period April to September 2024.
“This shows that even with the new geographic focus, MirrorFace remains focused on Japan and related events.”
MirrorFace, also tracked as Land of Kashis estimated to be part of an umbrella group known as APT10, which also includes clusters tracked as Earth Tengshe and Bronze Starlight. It has been known to target Japanese organizations since at least 2019, although a new campaign observed in early 2023 expanded its activities to include Taiwan and India.
Over the years, the hacking team’s arsenal of malware has expanded to include backdoors such as SORRY (aka UPPER COTT), LODEINFO and NOOPDOOR (aka HiddenFace), as well as a credential stealer called MirrorStealer.
ESET told The Hacker News that MirrorFace attacks are highly targeted and that there are typically “less than 10 attacks per year.” The ultimate goal of these intrusions is cyber espionage and data theft. However, this is not the first time that diplomatic organizations have been the target of threats.
In the latest attack discovered by a Slovak cyber security company, the victim received a phishing email with a link to a ZIP archive (“Expo in Japan 2025.zip”) located on Microsoft OneDrive.
Image source: Trend Micro |
The archive file included a Windows shortcut file (“2025 Japan EXPO.docx.lnk”) which, when run, triggered an infection sequence that eventually deployed ANEL and NOOPDOOR.
“ANEL disappeared from the scene around late 2018 or early 2019, and LODEINFO was believed to have replaced it, appearing later in 2019,” ESET said. “So it’s exciting to see how ANEL is recovering after almost five years.”
The development occurs as a threat to entities associated with China, such as Linen typhoon, Granite typhoonand Web wormwas found to increasingly rely on the open source and multi-platform SoftEther VPN to maintain access to victim networks.
This is also according to a Bloomberg report said associated with China Volt Typhoon breached Singapore Telecommunications (Singtel) as a “test run” of a broader campaign targeting telcos and other critical infrastructure, according to two people familiar with the matter. The cyber intrusion was discovered in June 2024.
US telecommunications and network service providers such as AT&T, Verizon and Lumen Technologies have also become the target of another Chinese national-state competitive team called Salt typhoon (aka FamousSparrow and GhostEmperor).
The Wall Street Journal earlier this week said hackers used these attacks to compromise mobile phone lines used by various high-ranking national security officials, policymakers and politicians in the US. The company is also believed to have penetrated telecommunications providers owned by another country that “closely shares intelligence with the US”