hacker

MirrorFace hackers targeting Japanese govt, politicians since 2019

Share:

The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed “MirrorFace” hacking group.

The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.

In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.

MirrorFace, also known as “Earth Kasha,” was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubbed ‘MirrorStealer’ and also the ‘LODEINFO’ backdoor.

Targeting government and technology

According to NPA’s analysis of the MirrorFace activity, the Chinese hackers exploit flaws in networking equipment, including CVE-2023-28461 in Array Networks, CVE-2023-27997 in Fortinet appliances, and CVE-2023-3519 in Citrix ADC/Gateway.

After breaching the networks, the threat actors infect targeted computers with LODEINFO, ANEL, NOOPDOOR, and other malware families capable of data exfiltration and various backdoors for persistent long-term access.

NPA identified three distinct campaigns conducted by the MirrorFace hackers:

  • Campaign A (2019–2023): Targeted think tanks, government entities, politicians, and media with malware-laden emails to steal information.
  • Campaign B (2023): Exploited software vulnerabilities in internet-connected devices, targeting Japan’s semiconductor, manufacturing, ICT, academia, and aerospace sectors.
  • Campaign C (2024–present): Used malicious email links to infect academia, think tanks, politicians, and media with malware.

Evasion via VSCode and Windows Sandbox

The NPA highlights two evasion methods MirrorFace uses to persist in networks for extended periods without raising any alarms.

The first uses Visual Studio Code tunnels, which are set up by the ANEL malware on the compromised system. These tunnels are used to receive commands to execute on infected systems, which are usually PowerShell commands.

This is a documented tactic previously attributed to other Chinese state-sponsored hackers like STORM-0866 and Sandman APT.

The second evasion method, employed since June 2023, involves the use Windows Sandbox feature to execute LOADEINFO within an isolated environment, bypassing antivirus detection.

Windows Sandbox is a virtualized desktop environment that can safely execute commands and run programs isolated from the host operating system.

However, the host operating system, including Microsoft Defender, does not monitor this environment. This allows the threat actors to run malware that communicates with remote command and control (C2) servers while maintaining local filesystem access to the host via shared folders.

Based on the above, the NPA recommends that system administrators monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity.

While it is not possible to log commands executed in Windows Sandbox, the NPA says you can configure Windows policies on the host to audit process creation to detect when the Windows Sandbox is launched and what configuration file was used.

This will allow organizations that do not usually use Windows Sandbox to detect its use and investigate further.

Source

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
4:30 am, Jul 11, 2025
weather icon 17°C
L: 16° | H: 19°
scattered clouds
Humidity: 81 %
Pressure: 1021 mb
Wind: 3 mph SSE
Wind Gust: 6 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 45%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
16° | 19°°C 0 mm 0% 8 mph 77 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 7:00 am
weather icon
18° | 19°°C 0 mm 0% 2 mph 77 % 1021 mb 0 mm/h
Today 10:00 am
weather icon
24° | 27°°C 0 mm 0% 2 mph 57 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 5 mph 66 % 1018 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€99,593.14
4.84%
Ethereum(ETH)
€2,537.36
6.75%
Tether(USDT)
€0.85
-0.01%
XRP(XRP)
€2.20
6.14%
Solana(SOL)
€140.63
4.16%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.169678
9.79%
Shiba Inu(SHIB)
€0.000012
8.24%
Pepe(PEPE)
€0.000011
15.23%
Peanut the Squirrel(PNUT)
€0.250498
23.38%
Scroll to Top