The campaign, named Operation AkaiRyū (Japanese for "RedDragon"), marks the first known instance of MirrorFace targeting a European entity.
According to ESET's report, the attack occurred in August 2024 and used the upcoming Expo 2025 in Osaka as bait. MirrorFace operators began with a harmless email referencing a legitimate previous interaction between the institute and a Japanese NGO.
Once the target responded, the attackers sent a follow-up email containing a malicious OneDrive link to a ZIP archive with a disguised LNK file. Once opened, the LNK file triggered a complex execution chain, deploying the ANEL backdoor—a tool previously associated exclusively with the APT10 group.
Perhaps most notable in this campaign is MirrorFace's revival of the ANEL backdoor (also known as UPPERCUT), previously considered exclusive to APT10 and thought to have been abandoned around 2018-2019.
This development has led ESET researchers to conclude that "MirrorFace is a subgroup under the APT10 umbrella," aligning with assessments from other security firms like Macnica, Kaspersky, and Cybereason.
The investigation revealed that MirrorFace has significantly refreshed its tactics, techniques, and procedures (TTPs). Beyond reviving ANEL, the group has deployed a heavily customized variant of AsyncRAT using a complex execution chain that runs malware inside Windows Sandbox to evade detection.
 |
| MirrorFace’s AsyncRAT execution chain |
They've also begun abusing Visual Studio Code's remote tunnels feature to establish stealthy access to compromised systems.
ESET's forensic analysis shows that following the initial compromise of two machines at the diplomatic institute in August 2024, MirrorFace deployed multiple tools, including PuTTY, VS Code, HiddenFace (the group's flagship backdoor), AsyncRAT, and tools like Rubeus for Kerberos interaction. On one machine, they exported Google Chrome web data, including contact information and stored credit card details.
As ESET researchers noted, “MirrorFace’s improved operational security, including the use of Windows Sandbox and the deletion of delivered tools, makes incident investigations increasingly challenging.”
The Operation AkaiRyū campaign serves as a stark reminder of the evolving threat landscape and the need for robust cybersecurity measures to defend against advanced persistent threats.
The Japanese National Police Agency (NPA) issued a warning about MirrorFace activities in January 2025, corresponding with what they called "Campaign C" in their Japanese-language advisory.
While MirrorFace has previously been reported to operate outside Japan in Taiwan, India, and Vietnam, this European targeting represents a significant geographic expansion while maintaining the group's focus on Japan-related entities and events.