{ "id": "59081c5b-b50e-48d5-92d2-fa5763ce9138", "created_at": "2026-04-06T00:15:55.039738Z", "updated_at": "2026-04-10T03:32:38.986344Z", "deleted_at": null, "sha1_hash": "2d29b18de1593e245acbd4894dbdf9dac6eaf24c", "title": "MirrorFace hackers targeting Japanese govt, politicians since 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3766958, "plain_text": "MirrorFace hackers targeting Japanese govt, politicians since 2019\r\nBy Bill Toulas\r\nPublished: 2025-01-09 · Archived: 2026-04-05 18:01:54 UTC\r\nThe National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign\r\ntargeting the country to the Chinese state-backed \"MirrorFace\" hacking group.\r\nThe campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct\r\nphases with differentiation of targets and attack methods.\r\nIn all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national\r\nsecurity intelligence.\r\nhttps://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nMirrorFace, also known as \"Earth Kasha,\" was previously observed by ESET conducting attacks on Japanese politicians\r\nbefore elections, using phishing emails to deploy a credential stealer dubbed 'MirrorStealer' and also the 'LODEINFO'\r\nbackdoor.\r\nTargeting government and technology\r\nAccording to NPA's analysis of the MirrorFace activity, the Chinese hackers exploit flaws in networking equipment,\r\nincluding CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix\r\nADC/Gateway.\r\nAfter breaching the networks, the threat actors infect targeted computers with LODEINFO, ANEL, NOOPDOOR, and other\r\nmalware families capable of data exfiltration and various backdoors for persistent long-term access.\r\nNPA identified three distinct campaigns conducted by the MirrorFace hackers:\r\nCampaign A (2019–2023): Targeted think tanks, government entities, politicians, and media with malware-laden\r\nemails to steal information.\r\nCampaign B (2023): Exploited software vulnerabilities in internet-connected devices, targeting Japan's\r\nsemiconductor, manufacturing, ICT, academia, and aerospace sectors.\r\nCampaign C (2024–present): Used malicious email links to infect academia, think tanks, politicians, and media\r\nwith malware.\r\nEvasion via VSCode and Windows Sandbox\r\nThe NPA highlights two evasion methods MirrorFace uses to persist in networks for extended periods without raising any\r\nalarms.\r\nThe first uses Visual Studio Code tunnels, which are set up by the ANEL malware on the compromised system. These\r\ntunnels are used to receive commands to execute on infected systems, which are usually PowerShell commands.\r\nUsing VSCode tunnels for covert communications\r\nSource: NPA\r\nReportedly, MirrorFace has been using VSCode tunnels since at least June 2024.\r\nThis is a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman\r\nAPT.\r\nThe second evasion method, employed since June 2023, involves the use Windows Sandbox feature to execute\r\nLOADEINFO within an isolated environment, bypassing antivirus detection.\r\nhttps://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nPage 3 of 5\n\nWindows Sandbox is a virtualized desktop environment that can safely execute commands and run programs isolated from\r\nthe host operating system.\r\nHowever, the host operating system, including Microsoft Defender, does not monitor this environment. This allows\r\nthe threat actors to run malware that communicates with remote command and control (C2) servers while maintaining local\r\nfilesystem access to the host via shared folders.\r\nThe Windows Sandbox evasion method\r\nSource: NPA\r\nBased on the above, the NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized\r\ncommunications with VSCode domains, and unusual sandbox activity. \r\nWhile it is not possible to log commands executed in Windows Sandbox, the NPA says you can configure Windows policies\r\non the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.\r\nThis will allow organizations that do not usually use Windows Sandbox to detect its use and investigate further.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nhttps://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/" ], "report_names": [ "mirrorface-hackers-targeting-japanese-govt-politicians-since-2019" ], "threat_actors": [ { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775791958, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d29b18de1593e245acbd4894dbdf9dac6eaf24c.pdf", "text": "https://archive.orkl.eu/2d29b18de1593e245acbd4894dbdf9dac6eaf24c.txt", "img": "https://archive.orkl.eu/2d29b18de1593e245acbd4894dbdf9dac6eaf24c.jpg" } }