hacker

MirrorFace hackers targeting Japanese govt, politicians since 2019

Teilen:

The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed “MirrorFace” hacking group.

The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.

In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.

MirrorFace, also known as “Earth Kasha,” was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubbed ‘MirrorStealer’ and also the ‘LODEINFO’ backdoor.

Targeting government and technology

According to NPA’s analysis of the MirrorFace activity, the Chinese hackers exploit flaws in networking equipment, including CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix ADC/Gateway.

After breaching the networks, the threat actors infect targeted computers with LODEINFO, ANEL, NOOPDOOR, and other malware families capable of data exfiltration and various backdoors for persistent long-term access.

NPA identified three distinct campaigns conducted by the MirrorFace hackers:

  • Campaign A (2019–2023): Targeted think tanks, government entities, politicians, and media with malware-laden emails to steal information.
  • Campaign B (2023): Exploited software vulnerabilities in internet-connected devices, targeting Japan’s semiconductor, manufacturing, ICT, academia, and aerospace sectors.
  • Campaign C (2024–present): Used malicious email links to infect academia, think tanks, politicians, and media with malware.

Evasion via VSCode and Windows Sandbox

The NPA highlights two evasion methods MirrorFace uses to persist in networks for extended periods without raising any alarms.

The first uses Visual Studio Code tunnels, which are set up by the ANEL malware on the compromised system. These tunnels are used to receive commands to execute on infected systems, which are usually PowerShell commands.

This is a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman APT.

The second evasion method, employed since June 2023, involves the use Windows Sandbox feature to execute LOADEINFO within an isolated environment, bypassing antivirus detection.

Windows Sandbox is a virtualized desktop environment that can safely execute commands and run programs isolated from the host operating system.

However, the host operating system, including Microsoft Defender, does not monitor this environment. This allows the threat actors to run malware that communicates with remote command and control (C2) servers while maintaining local filesystem access to the host via shared folders.

Based on the above, the NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity.

While it is not possible to log commands executed in Windows Sandbox, the NPA says you can configure Windows policies on the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.

This will allow organizations that do not usually use Windows Sandbox to detect its use and investigate further.

Quelle

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
3:31 am, Juni 23, 2025
Wetter-Symbol 18°C
L: 17° | H: 19°
overcast clouds
Luftfeuchtigkeit: 79 %
Druck: 1010 mb
Wind: 10 mph WNW
Windböe: 17 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 88%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:43 am
Sonnenuntergang: 9:21 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
17° | 19°°C 0.2 mm 20% 14 mph 79 % 1016 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
13° | 22°°C 0.2 mm 20% 13 mph 80 % 1016 mb 0 mm/h
Mi. Juni 25 10:00 pm
Wetter-Symbol
16° | 27°°C 0 mm 0% 9 mph 86 % 1014 mb 0 mm/h
Do. Juni 26 10:00 pm
Wetter-Symbol
18° | 26°°C 0.48 mm 48% 14 mph 84 % 1016 mb 0 mm/h
Fr. Juni 27 10:00 pm
Wetter-Symbol
17° | 28°°C 0 mm 0% 16 mph 72 % 1019 mb 0 mm/h
Today 4:00 am
Wetter-Symbol
17° | 18°°C 0.2 mm 20% 13 mph 79 % 1010 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
16° | 17°°C 0.2 mm 20% 13 mph 76 % 1011 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
18° | 19°°C 0 mm 0% 12 mph 55 % 1013 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 12 mph 34 % 1014 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
21° | 21°°C 0 mm 0% 14 mph 32 % 1014 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 13 mph 39 % 1014 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
17° | 17°°C 0 mm 0% 10 mph 53 % 1016 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
14° | 14°°C 0 mm 0% 8 mph 69 % 1016 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€88,042.10
-1.04%
Ethereum(ETH)
€1,949.05
-1.16%
Fesseln(USDT)
€0.87
0.00%
XRP(XRP)
€1.76
-1.65%
Solana(SOL)
€115.71
-1.03%
USDC(USDC)
€0.87
0.00%
Dogecoin(DOGE)
€0.132578
-1.18%
Shiba Inu(SHIB)
€0.000010
-1.61%
Pepe(PEPE)
€0.000008
-4.11%
Peanut das Eichhörnchen(PNUT)
€0.218896
13.10%
Nach oben scrollen