Operation AkaiRyū

Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.^[1]^[2]

ID: C0060

First Seen: June 2004 ^[1]^[2]

Last Seen: September 2004 ^[1]

ⓘ

Associated Campaigns: AkaiRyū

Contributors: Dominik Breitenbacher, ESET

Version: 1.0

Created: 17 April 2026

Last Modified: 24 April 2026

Version Permalink

Live Version

Groups

ID	Name	Description
G1054	MirrorFace	^[2]^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1217		Browser Information Discovery	During Operation AkaiRyū, MirrorFace exported Chrome web data including contact information, keywords, autofill data, and stored credit card information.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	During Operation AkaiRyū, MirrorFace used PowerShell in execution chains to drop additional files such as embedded CAB files.^[2]^[1]
		.003	Command and Scripting Interpreter: Windows Command Shell	During Operation AkaiRyū, MirrorFace used `cmd.exe` to run PowerShell commands to drop additional files on the compromised host.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	During Operation AkaiRyū, MirrorFace used Word templates containing VBA code for malware execution.^[1]
Enterprise	T1586	.002	Compromise Accounts: Email Accounts	During Operation AkaiRyū, MirrorFace used compromised accounts to send spearphishing emails.^[2]
Enterprise	T1587	.001	Develop Capabilities: Malware	During Operation AkaiRyū, MirrorFace used custom malware, as well as customized variants of publicly available tools.^[1]
Enterprise	T1685	.005	Disable or Modify Tools: Clear Windows Event Logs	During Operation AkaiRyū, MirrorFace cleared Windows event logs post compromise.^[1]
Enterprise	T1585	.002	Establish Accounts: Email Accounts	During Operation AkaiRyū, MirrorFace used free email providers such as Gmail for spearphishing.^[2]^[1]
		.003	Establish Accounts: Cloud Accounts	During Operation AkaiRyū, MirrorFace established OneDrive accounts to host malicious payloads.^[1]
Enterprise	T1083		File and Directory Discovery	During Operation AkaiRyū, MirrorFace enumerated file system details in compromised environments.^[2]
Enterprise	T1070	.004	Indicator Removal: File Deletion	During Operation AkaiRyū, MirrorFace deleted delivered tools and files from compromised hosts.^[1]
Enterprise	T1036	.008	Masquerading: Masquerade File Type	During Operation AkaiRyū, MirrorFace disguised LNK and SFX (self-extracting) files as Word documents to lure victims into opening malicious files.^[2]^[1]
Enterprise	T1588	.002	Obtain Capabilities: Tool	During Operation AkaiRyū, MirrorFace deployed multiple publicly available tools including PuTTY, FRP, and Rubeus.^[1]
Enterprise	T1137	.001	Office Application Startup: Office Template Macros	During Operation AkaiRyū, MirrorFace loaded malicious Word templates containing VBA code leading to installation of UPPERCUT.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	During Operation AkaiRyū, MirrorFace distributed crafted spearphishing emails containing malicious attachments.^[1]^[2]
		.002	Phishing: Spearphishing Link	During Operation AkaiRyū, MirrorFace sent spearphishing emails with malicious OneDrive links.^[2]
Enterprise	T1219		Remote Access Tools	During Operation AkaiRyū, MirrorFace used remote access tools including PuTTY.^[1]
		.001	IDE Tunneling	During Operation AkaiRyū, MirrorFace abused the remote tunnels of Visual Studio Code (VS Code) to deliver malware.^[1]
Enterprise	T1608	.005	Stage Capabilities: Link Target	During Operation AkaiRyū, MirrorFace used links to direct victims to malicious files hosted on OneDrive.^[2]^[1]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	During Operation AkaiRyū, MirrorFace abused a signed McAfee executable to load UPPERCUT.^[1]
Enterprise	T1082		System Information Discovery	During Operation AkaiRyū, MirrorFace collected system information.^[2]
Enterprise	T1016		System Network Configuration Discovery	During Operation AkaiRyū, MirrorFace used Arp and `dir` for discovery in compromised environments.^[2]
Enterprise	T1127	.001	Trusted Developer Utilities Proxy Execution: MSBuild	During Operation AkaiRyū, MirrorFace used MSBuild to compile and execute its FaceXInjector injection tool.^[1]
Enterprise	T1204	.001	User Execution: Malicious Link	During Operation AkaiRyū, MirrorFace lured users into executing malicious payloads with links to resources hosted on OneDrive.^[2]^[1]
		.002	User Execution: Malicious File	During Operation AkaiRyū, MirrorFace lured victims into executing malicious payloads by opening email attachments.^[1]
Enterprise	T1047		Windows Management Instrumentation	During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT.^[1]

Software

ID	Name	Description
S9027	ANELLDR	ANELLDR was used in Operation AkaiRyū as part of UPPERCUT infection chains.^[2]^[1]
S0099	Arp	During Operation AkaiRyū, MirrorFace used Arp for discovery.^[2]
S1087	AsyncRAT	During Operation AkaiRyū, MirrorFace used custom versions of AsyncRAT.^[1]
S1144	FRP	During Operation AkaiRyū, MirrorFace used FRP.^[1]
S9023	HiddenFace	During Operation AkaiRyū, MirrorFace used HiddenFace.^[2]^[1]
S9026	ROAMINGHOUSE	During Operation AkaiRyū, MirrorFace used ROAMINGHOUSE.^[2]
S1071	Rubeus	During Operation AkaiRyū, MirrorFace used Rubeus.^[1]
S0275	UPPERCUT	During Operation AkaiRyū, MirrorFace used UPPERCUT.^[2]^[1]

References

Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.

Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.

Operation AkaiRyū

Groups

Enterprise Layer

Techniques Used

Software

References