HQ/EMEAFind out how we can help your business
The MirrorFace threat group, an alleged China-aligned cybercriminal organisation, has been using the World Expo in 2025 as a lure for its malicious operation that targets the diplomatic body of the European Union.
Based on reports, the threat actor’s primary lure is the earlier-mentioned event that will occur in Osaka, Japan, next year. This detail indicates that the threat actor still prioritises Japan as its leading targeted country and any global event it will host.
The MirrorFace gang is an advanced persistent threat (APT) group that is notorious for targeting Japan.
Investigations on MirrorFace show that it is part of the notorious APT10 cybercriminal faction. This group comprises various China-aligned threat groups, such as Bronze Starlight and Earth Tengshe.
MirrorFace has been targeting Japanese organisations for over five years now. However, one of its latest campaigns in early 2023 expanded its operations to target Taiwan and India.
This hacking group’s malware arsenal has expanded to include backdoors such as ANEL LODEINFO and NOOPDOOR, as well as an information stealer dubbed MirrorStealer.
Furthermore, the researchers claimed that MirrorFace’s attacks are highly targeted as they only target a few organisations yearly and significantly fewer than other APT groups. The ultimate purpose of this targeted attack is cyber espionage and data theft. However, the threat actor has attacked diplomatic groups before.
Its latest campaign uses a spear-phishing tactic that uses an email with a link to a ZIP archive stored on Microsoft OneDrive.
The ZIP package contained a Windows shortcut file that initiates an infection process once a recipient runs that eventually installs ANEL and NOOPDOOR. The ANEL backdoor’s last appearance in the cybercriminal landscape was allegedly in 2019, and it was assumed that LODEINFO took its place. However, this latest development, where both malware appear, might imply that it acquired an upgrade from its dormancy.
Potential participating countries and individuals in next year’s World Expo in Japan should be wary of these threats. These threat actors focusing on cyber espionage will likely target the event that may compromise attendees and members of the European Union.
