While cybersecurity experts have long monitored China-aligned hacking groups, MirrorFace has just raised eyebrows across Europe. This notorious APT group, previously content with targeting Japanese entities, has suddenly decided Japan wasn’t enough. Talk about ambition. Their latest campaign—dubbed Operation AkaiRyū (that’s “RedDragon” for non-Japanese speakers)—marks their first documented attack against a European target. Quite the milestone for these digital intruders.
ESET researchers spotted the attack in August 2024, when MirrorFace set its sights on a Central European diplomatic institute. Their bait? Emails about Expo 2025 in Osaka. Clever. The group revived their ANEL backdoor after a five-year hiatus, like pulling an old favorite jacket from the back of the closet. They also deployed a heavily customized AsyncRAT variant, because apparently standard malware just isn’t fancy enough.
What’s particularly interesting is their developing toolkit. MirrorFace now executes malware within Windows Sandbox to dodge antivirus detection. They’ve also gotten cozy with legitimate software—SoftEther VPN, McAfee executables, 7-Zip—to blend their malicious traffic with normal operations. The attackers meticulously erase evidence of their actions to hinder forensic investigations. Security professionals are impressed. And concerned.
MirrorFace’s evolving toolkit: Windows Sandbox exploits and legitimate software abuse leave security experts both nodding and sweating.
The shift from exclusively targeting Japan to European Union diplomats signals a strategic expansion. But they haven’t abandoned their Japanese interests. MirrorFace has compromised over 200 organizations in five years, targeting think tanks, politicians, media outlets, aerospace companies, and academic institutions. That’s quite the resume. Their notoriety particularly increased after their interference in elections during Japan’s 2022 political campaigns.
Their apparent collaboration with other threat actors—Flax Typhoon, Gallium, Webworm—suggests a concerning trend of knowledge sharing among state-backed hackers. The impact? Stolen national security data, disrupted operations, and heightened tensions.
For diplomatic institutions across Europe, the message is clear: the dragons from the East are no longer content with staying in their neighborhood. They’re expanding, developing, and eyeing new targets. And they’re getting better at it every day.
