1. Home
  2. Groups
  3. MirrorFace

MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

ID: G1054
Associated Groups: Earth Kasha
Contributors: Dominik Breitenbacher, ESET
Version: 1.0
Created: 17 April 2026
Last Modified: 24 April 2026
Version Permalink

Associated Group Descriptions

Name Description
Earth Kasha

[5][6]

Campaigns

ID Name First Seen Last Seen References Techniques
C0060 Operation AkaiRyū June 2004 [7][8] September 2004 [7]

[8][7]

 Browser Information Discovery, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Compromise Accounts: Email Accounts, Develop Capabilities: Malware, Disable or Modify Tools: Clear Windows Event Logs, Establish Accounts: Cloud Accounts, Establish Accounts: Email Accounts, File and Directory Discovery, Indicator Removal: File Deletion, Masquerading: Masquerade File Type, Obtain Capabilities: Tool, Office Application Startup: Office Template Macros, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Remote Access Tools: IDE Tunneling, Remote Access Tools, Stage Capabilities: Link Target, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, User Execution: Malicious Link, User Execution: Malicious File, Windows Management Instrumentation
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

MirrorFace has used native Windows tools to obtain domain user information.[5]
Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

MirrorFace has used the the PuTTY suite Secure Copy Protocol (SCP) client for file transfer.[3]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

MirrorFace has used rar.exe and the Makecab utility to archive files of interest prior to exfiltration.[3][5][4]
Enterprise T1217 Browser Information Discovery

During Operation AkaiRyū, MirrorFace exported Chrome web data including contact information, keywords, autofill data, and stored credit card information.[7]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

During Operation AkaiRyū, MirrorFace used PowerShell in execution chains to drop additional files such as embedded CAB files.[8][7]
.003 Command and Scripting Interpreter: Windows Command Shell

MirrorFace has used cmd.exe for malware execution, file discovery, and manual file manipulation.[5][6][4][4]

During Operation AkaiRyū, MirrorFace used cmd.exe to run PowerShell commands to drop additional files on the compromised host.[7]
.005 Command and Scripting Interpreter: Visual Basic

MirrorFace has used remote templates with VBA code in malware infection chains.[9]

During Operation AkaiRyū, MirrorFace used Word templates containing VBA code for malware execution.[7]
Enterprise T1586 .002 Compromise Accounts: Email Accounts

During Operation AkaiRyū, MirrorFace used compromised accounts to send spearphishing emails.[8]
Enterprise T1005 Data from Local System

MirrorFace gathered data and files of interest from victim's systems.[5]
Enterprise T1074 .002 Data Staged: Remote Data Staging

MirrorFace has gathered data and files of interest on a single victim machine.[5]
Enterprise T1587 .001 Develop Capabilities: Malware

MirrorFace has created and continued to develop custom strains of malware including LODEINFO.[3]

During Operation AkaiRyū, MirrorFace used custom malware, as well as customized variants of publicly available tools.[7]
Enterprise T1686 .003 Disable or Modify System Firewall: Windows Host Firewall

MirrorFace can modify the system firewall to allow communication to certain ports.[4]
Enterprise T1685 Disable or Modify Tools

MirrorFace has disabled Windows Defender in compromised environments.[4]
.005 Clear Windows Event Logs

MirrorFace has deleted Windows event logs.[4]

During Operation AkaiRyū, MirrorFace cleared Windows event logs post compromise.[7]
Enterprise T1482 Domain Trust Discovery

MirrorFace has run nltest.exe /domain_trusts on compromised systems to discover domain relationships.[5]
Enterprise T1114 .001 Email Collection: Local Email Collection

MirrorFace has exfiltrated stored emails from compromised hosts.[3]
Enterprise T1585 .002 Establish Accounts: Email Accounts

During Operation AkaiRyū, MirrorFace used free email providers such as Gmail for spearphishing.[8][7]
.003 Establish Accounts: Cloud Accounts

During Operation AkaiRyū, MirrorFace established OneDrive accounts to host malicious payloads.[7]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

MirrorFace has used Secure File Transfer Protocol (SFTP) for file exfiltration.[4]
Enterprise T1190 Exploit Public-Facing Application

MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access.[4]
Enterprise T1083 File and Directory Discovery

MirrorFace has run commands to check the content of folders on compromised hosts and has specifically targeted files with .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf extensions.[3][5][4]

During Operation AkaiRyū, MirrorFace enumerated file system details in compromised environments.[8]
Enterprise T1591 Gather Victim Org Information

MirrorFace has placed specific content in phishing emails to target members of particular political parties.[3]
Enterprise T1574 .001 Hijack Execution Flow: DLL

MirrorFace has used legitimate EXE files to load malicious DLLs via sideloading.[1][3][9][5]
Enterprise T1070 .004 Indicator Removal: File Deletion

MirrorFace has deleted directories containing malware and archives with files collected from the victim environment.[3][5][6][4]

During Operation AkaiRyū, MirrorFace deleted delivered tools and files from compromised hosts.[7]
Enterprise T1036 .008 Masquerading: Masquerade File Type

MirrorFace has crafted malware payloads to appear as Privacy-Enhanced Mail (PEM) files.[9]

During Operation AkaiRyū, MirrorFace disguised LNK and SFX (self-extracting) files as Word documents to lure victims into opening malicious files.[8][7]
Enterprise T1556 .002 Modify Authentication Process: Password Filter DLL

MirrorFace has used a tool named MRSAStealer as a password filter to collect credentials on password changes.[3]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

MirrorFace has used Base64 encoded shellcode in infection chains to evade detection.[9]
Enterprise T1588 .002 Obtain Capabilities: Tool

MirrorFace has used tools including the Secure Copy Protocol (SCP) client from PuTTY and Cobalt Strike.[3][5][4]

During Operation AkaiRyū, MirrorFace deployed multiple publicly available tools including PuTTY, FRP, and Rubeus.[7]
Enterprise T1137 .001 Office Application Startup: Office Template Macros

During Operation AkaiRyū, MirrorFace loaded malicious Word templates containing VBA code leading to installation of UPPERCUT.[7]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

MirrorFace has dumped LSASS memory for credential access.[4]
.002 OS Credential Dumping: Security Account Manager

MirrorFace has used vssadmin to copy registry hives including SAM.[5][4]
.003 OS Credential Dumping: NTDS

MirrorFace has dumped NTDS.dit through volume shadow copies.[5][4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

MirrorFace has sent spearphishing emails with malicious attachments to deliver malware payloads.[1][3][9]

During Operation AkaiRyū, MirrorFace distributed crafted spearphishing emails containing malicious attachments.[7][8]
.002 Phishing: Spearphishing Link

MirrorFace has embedded OneDrive URLs in emails leading to malicious file installation.[6]

During Operation AkaiRyū, MirrorFace sent spearphishing emails with malicious OneDrive links.[8]
Enterprise T1057 Process Discovery

MirrorFace has used Tasklist on compromised hosts for discovery.[4]
Enterprise T1090 Proxy

MirrorFace has used the GO Simple Tunnel (GOST) proxy tool.[4]
Enterprise T1219 .001 Remote Access Tools: IDE Tunneling

During Operation AkaiRyū, MirrorFace abused the remote tunnels of Visual Studio Code (VS Code) to deliver malware.[7]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

MirrorFace has used RDP to exfiltrate files of interest.[5]
.002 Remote Services: SMB/Windows Admin Shares

MirrorFace has used SMB to copy malware between systems in compromised environments.[5][4]
Enterprise T1018 Remote System Discovery

MirrorFace has used Ping for system discovery.[4]
Enterprise T1684 .001 Social Engineering: Impersonation

MirrorFace has sent targeted emails purporting to be from a Japanese political party’s PR department.[3]
Enterprise T1608 .005 Stage Capabilities: Link Target

During Operation AkaiRyū, MirrorFace used links to direct victims to malicious files hosted on OneDrive.[8][7]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

MirrorFace has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed.[3]

During Operation AkaiRyū, MirrorFace abused a signed McAfee executable to load UPPERCUT.[7]
Enterprise T1082 System Information Discovery

MirrorFace has employed malicious macros and native Windows tools such as csvde.exe, nltest.exe and quser.exe for discovery.[9][5][4]

During Operation AkaiRyū, MirrorFace collected system information.[8]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

MirrorFace has deployed shellcode to check for Japanese Microsoft Office settings.[9]
Enterprise T1016 System Network Configuration Discovery

MirrorFace has used ipconfig for reconnaissance.[4]

During Operation AkaiRyū, MirrorFace used Arp and dir for discovery in compromised environments.[8]
Enterprise T1033 System Owner/User Discovery

MirrorFace has used Windows native tools to enumerate user information.[5]
Enterprise T1007 System Service Discovery

MirrorFace has used Tasklist for discovery post compromise.[4]
Enterprise T1221 Template Injection

MirrorFace has used remote template injection to retrieve malicious payloads from the C2.[9]
Enterprise T1127 .001 Trusted Developer Utilities Proxy Execution: MSBuild

During Operation AkaiRyū, MirrorFace used MSBuild to compile and execute its FaceXInjector injection tool.[7]
Enterprise T1204 .001 User Execution: Malicious Link

During Operation AkaiRyū, MirrorFace lured users into executing malicious payloads with links to resources hosted on OneDrive.[8][7]
.002 User Execution: Malicious File

MirrorFace has lured victims into opening crafted Word, Excel, and SFX files for execution.[1][3][9][6]

During Operation AkaiRyū, MirrorFace lured victims into executing malicious payloads by opening email attachments.[7]
Enterprise T1047 Windows Management Instrumentation

MirrorFace has leveraged WMIC on targeted systems post compromise.[4]

During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT.[7]

Software

ID Name References Techniques
S9027 ANELLDR ANELLDR was used in Operation AkaiRyū as part of UPPERCUT infection chains.[8][7] Debugger Evasion, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Junk Code Insertion, Obfuscated Files or Information
S0099 Arp During Operation AkaiRyū, MirrorFace used Arp for discovery.[8] Remote System Discovery, System Network Configuration Discovery
S1087 AsyncRAT During Operation AkaiRyū, MirrorFace used custom versions of AsyncRAT.[7] Command and Scripting Interpreter: Windows Command Shell, Debugger Evasion, Dynamic Resolution: Domain Generation Algorithms, Dynamic Resolution, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Input Capture: Keylogging, Local Storage Discovery, Native API, Phishing: Spearphishing Attachment, Process Discovery, Proxy: Multi-hop Proxy, Scheduled Task/Job: Scheduled Task, Screen Capture, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0190 BITSAdmin [4] BITS Jobs, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer
S0154 Cobalt Strike MirrorFace has used Cobalt Strike for persistence.[5] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Disable or Modify Tools, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Virtualization/Sandbox Evasion: User Activity Based Checks, Windows Management Instrumentation
S9021 DOWNIISSA DOWNIISSA has been used by MirrorFace to download LODEINFO.[1] Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Process Injection, System Binary Proxy Execution: Msiexec
S1144 FRP During Operation AkaiRyū, MirrorFace used FRP.[7] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Network Service Discovery, Non-Application Layer Protocol, Protocol Tunneling, Proxy, Proxy: Multi-hop Proxy, System Network Connections Discovery
S9023 HiddenFace MirrorFace has used HiddenFace during operations.[10][4][5] Data from Local System, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall: Windows Host Firewall, Dynamic Resolution: Domain Generation Algorithms, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Mutual Exclusion, Execution Guardrails, Exploit Public-Facing Application, Fallback Channels, Indicator Removal: Timestomp, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Dynamic API Resolution, Process Discovery, Process Injection, Protocol Tunneling, Proxy: Internal Proxy, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: Time Based Checks
S0100 ipconfig [4] System Network Configuration Discovery
S9020 LODEINFO [1][9] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Data Encrypted for Impact, Data from Local System, Data Obfuscation: Junk Data, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Execution Guardrails, Exfiltration Over C2 Channel, File and Directory Discovery, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Native API, Obfuscated Files or Information: Compression, Obfuscated Files or Information: Junk Code Insertion, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Dynamic API Resolution, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Remote System Discovery, Screen Capture, Steal Web Session Cookie, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery, User Execution: Malicious File, Windows Management Instrumentation
S9022 MirrorStealer MirrorFace has used MirrorStealer to harvest credentials.[3] Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Data Staged: Local Data Staging, Unsecured Credentials: Group Policy Preferences
S0102 nbtstat [4] System Network Configuration Discovery, System Network Connections Discovery
S0039 Net [4] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest MirrorFace has used Nltest for discovery.[5] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S9025 NOOPLDR MirrorFace has used NOOPLDR during operations.[5] Deobfuscate/Decode Files or Information, Hide Artifacts, Hijack Execution Flow: DLL, Indicator Removal: File Deletion, Modify Registry, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information, Obfuscated Files or Information: Junk Code Insertion, Process Injection, System Information Discovery
S0097 Ping [4] Remote System Discovery
S9026 ROAMINGHOUSE MirrorFace has used ROAMINGHOUSE during operations.[6] Deobfuscate/Decode Files or Information, Execution Guardrails, Hijack Execution Flow: DLL, Obfuscated Files or Information: Encrypted/Encoded File, Office Application Startup: Office Template Macros, Phishing: Spearphishing Link, Software Discovery: Security Software Discovery, User Execution: Malicious File, User Execution: Malicious Link, Virtualization/Sandbox Evasion: User Activity Based Checks, Windows Management Instrumentation
S1071 Rubeus During Operation AkaiRyū, MirrorFace used Rubeus.[7] Domain Trust Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: AS-REP Roasting, Steal or Forge Kerberos Tickets: Golden Ticket
S0057 Tasklist [4] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0275 UPPERCUT MirrorFace has used UPPERCUT during operations.[6] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data from Local System, Delay Execution, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hijack Execution Flow: DLL, Ingress Tool Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0645 Wevtutil [4] Data from Local System, Disable or Modify Tools: Disable or Modify Windows Event Log, Disable or Modify Tools: Clear Windows Event Logs

References

  1. Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.
  2. Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part II. Retrieved April 17, 2026.
  3. Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
  4. Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
  5. Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
  1. Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
  2. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
  3. Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
  4. ITOCHU. (2024, January 24). The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis. Retrieved April 17, 2026.
  5. Breitenbacher, D. (2024). Unmasking HiddenFace. Retrieved April 17, 2026.