MirrorFace

Introduction

MirrorFace is a People’s Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware. Kaspersky LODEINFO OCT 2022 Kaspersky LODEINFO Part II OCT 2022 ESET MirrorFace DEC 2022 JPCERT MirrorFace JUL 2024 Trend Micro Earth Kasha NOV 2024 Trend Micro Earth Kasha Updates APR 2025

Activities and Tactics

Country of Origin: 🇨🇳 China

Notable Campaigns

• Operation AkaiRyū (C0060): Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.(Citation: ESET MirrorFace 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)

Tactics, Techniques, and Procedures (TTPs)

• T1566.002 Spearphishing Link
• T1057 Process Discovery
• T1686.003 Windows Host Firewall
• T1074.002 Remote Data Staging
• T1685 Disable or Modify Tools
• T1087.002 Domain Account
• T1614.001 System Language Discovery
• T1591 Gather Victim Org Information
• T1090 Proxy
• T1685.005 Clear Windows Event Logs
• T1021.001 Remote Desktop Protocol
• T1587.001 Malware
• T1070.004 File Deletion
• T1003.002 Security Account Manager
• T1083 File and Directory Discovery
• T1482 Domain Trust Discovery
• T1684.001 Impersonation
• T1588.002 Tool
• T1003.001 LSASS Memory
• T1204.002 Malicious File
• T1018 Remote System Discovery
• T1016 System Network Configuration Discovery
• T1553.002 Code Signing
• T1005 Data from Local System
• T1059.003 Windows Command Shell
• T1566.001 Spearphishing Attachment
• T1059.005 Visual Basic
• T1007 System Service Discovery
• T1082 System Information Discovery
• T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
• T1574.001 DLL
• T1021.002 SMB/Windows Admin Shares
• T1071.002 File Transfer Protocols
• T1190 Exploit Public-Facing Application
• T1036.008 Masquerade File Type
• T1003.003 NTDS
• T1560.001 Archive via Utility
• T1221 Template Injection
• T1556.002 Password Filter DLL
• T1047 Windows Management Instrumentation
• T1114.001 Local Email Collection
• T1027.013 Encrypted/Encoded File
• T1033 System Owner/User Discovery

ATT&CK technique IDs (denormalized)

• T1003.001
• T1003.002
• T1003.003
• T1005
• T1007
• T1016
• T1018
• T1021.001
• T1021.002
• T1027.013
• T1033
• T1036.008
• T1047
• T1048.002
• T1057
• T1059.003
• T1059.005
• T1070.004
• T1071.002
• T1074.002
• T1082
• T1083
• T1087.002
• T1090
• T1114.001
• T1190
• T1204.002
• T1221
• T1482
• T1553.002
• T1556.002
• T1560.001
• T1566.001
• T1566.002
• T1574.001
• T1587.001
• T1588.002
• T1591
• T1614.001
• T1684.001
• T1685
• T1685.005
• T1686.003

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• Umbreon:
• China Chopper:
• CyberGate:
• Cyber Eye RAT:

MITRE ATT&CK Software

• Net (S0039) — tool
• Cobalt Strike (S0154) — malware
• MirrorStealer (S9022) — malware
• UPPERCUT (S0275) — malware
• Nltest (S0359) — tool
• BITSAdmin (S0190) — tool
• Tasklist (S0057) — tool
• ipconfig (S0100) — tool
• LODEINFO (S9020) — malware
• ROAMINGHOUSE (S9026) — malware
• DOWNIISSA (S9021) — malware
• nbtstat (S0102) — tool
• HiddenFace (S9023) — malware
• Ping (S0097) — tool
• Wevtutil (S0645) — tool
• NOOPLDR (S9025) — malware

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] ESET MirrorFace DEC 2022 Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026. [4] Trend Micro Earth Kasha Updates APR 2025 Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026. [5] Kaspersky LODEINFO OCT 2022 Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026. [6] Kaspersky LODEINFO Part II OCT 2022 Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part II. Retrieved April 17, 2026. [7] JPCERT MirrorFace JUL 2024 Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026. [8] Trend Micro Earth Kasha NOV 2024 Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha’s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.