Full Report
The group's Operation AkaiRyū begins with targeted spearphishing emails that use the upcoming World Expo 2025 in Osaka, Japan, as a lure
Analysis Summary
# Threat Actor: MirrorFace
## Attribution & Identity
China-aligned Advanced Persistent Threat (APT) group.
## Activity Summary
The group's recent activity centers around "Operation AkaiRyū" (Japanese for RedDragon). This operation marks the first documented attempt by MirrorFace to infiltrate an entity in Europe. The campaign kicked off with targeted spearphishing emails using the upcoming World Expo 2025 in Osaka, Japan, as a lure.
## Tactics, Techniques & Procedures
- **Initial Access:** Targeted spearphishing emails.
- **Execution/Persistence:** Attempts to leverage legitimate applications and tools to install malware following a successful phishing attempt.
## Targeting
- **Sectors:** Diplomatic institutes (specifically a Central European diplomatic institute).
- **Geography:** Previously focused activity is implied, but the current campaign expanded to target **Europe**.
- **Victims:** A Central European diplomatic institute was specifically mentioned as a target in the latest campaign.
## Tools & Infrastructure
- **Malware families used:** ANEL backdoor (referenced in the linked blogpost, though details are not fully described in this summary quote). *No specific C2 domains or IPs were provided in the text.*
## Implications
MirrorFace is expanding its geographic reach, moving directly into European targets with a focus on diplomatic entities. This indicates a broadening of intelligence collection priorities or a direct shift in strategic focus towards European political or diplomatic affairs.
## Mitigations
- **Spearphishing Defense:** Implement heightened scrutiny and advanced filtering for incoming emails, especially those leveraging timely or high-profile lures like major international events (e.g., World Expo 2025).
- **Application Control:** Harden systems against the abuse of legitimate applications and tools used for evasion/installation.
- **Endpoint Detection:** Ensure robust detection capabilities for post-exploitation activity indicative of backdoor deployment.