Cybersecurity researchers have uncovered fresh details about an ongoing cyber-espionage campaign launched by the China-linked threat group MirrorFace, targeting diplomatic organizations in Europe. This sophisticated operation, named Operation AkaiRyū (Japanese for Red Dragon), was first detected by ESET in late August 2024.
This comes after recent reports that Google PlayStore users were being spied on by hackers backed by North Korean government.
MirrorFace Expands Targets Beyond Japan, Hits EU Diplomats
Typically known for focusing on Japanese organizations, MirrorFace — also called Earth Kasha — has now shifted its sights toward Europe. The group, believed to be a subgroup of APT10, targeted a Central European diplomatic institute using deceptive lures themed around the upcoming World Expo 2025 in Osaka, Japan.
This unexpected pivot marks a significant change in the group’s victim profile, raising concerns about its evolving strategies and broader ambitions in the cyber-espionage arena.
ANEL Backdoor Makes a Comeback, Replacing LODEINFO
The cyber attack is particularly notable for the reappearance of ANEL — also known as UPPERCUT — a sophisticated backdoor tool previously linked to APT10 operations. Analysts observed that MirrorFace has abandoned LODEINFO, a malware family used heavily in the past, in favor of ANEL, which had seemingly gone dormant since 2019.
“We don’t have a clear reason why MirrorFace switched from LODEINFO to ANEL,” ESET revealed. “But we didn’t detect any LODEINFO activity throughout 2024 or 2025, suggesting ANEL has now replaced it in their toolkit.”
Enhanced Tactics: AsyncRAT and Visual Studio Code Remote Tunnels Deployed
Beyond ANEL, researchers noted that the hackers also deployed a highly customized version of AsyncRAT, a popular remote access trojan. To further enhance their stealth, the attackers used Visual Studio Code Remote Tunnels, a relatively new tactic increasingly favored by Chinese hacking groups to maintain secretive access to compromised machines.
Interestingly, this operation closely aligns with Campaign C, previously reported by Japan’s National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) earlier in January.
Spear-Phishing and Modular Malware Power the Attack Chain
The attack began with spear-phishing emails, luring victims with World Expo-themed documents or malicious links. Once opened, the attachments triggered ANELLDR, a specially crafted loader that uses DLL side-loading to execute ANEL.
Additionally, MirrorFace deployed a custom backdoor known as HiddenFace (also called NOOPDOOR), a modular tool exclusively used by this threat group. HiddenFace grants attackers prolonged access while helping avoid detection.
Improved Operational Security Makes Attribution Tougher
ESET analysts noted that MirrorFace’s operational security measures have improved significantly, making it harder to trace their activities. The group now takes extra steps to delete malicious tools, clear Windows event logs, and even run malware inside Windows Sandbox environments — all designed to cover their tracks and frustrate investigations.
“Despite our findings, many parts of the operation remain unclear due to these advanced tactics,” ESET added.
