China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait

🔐 China-aligned MirrorFace hacking group has expanded its operations to target diplomatic organizations within the European Union. This marks the first time the threat actor has engaged in such an attack in the region. The MirrorFace group, also known as Earth Kasha, is a cyber espionage unit associated with the broader APT10 umbrella group, which has long been notorious for targeting Japanese organizations.

💥 The Lure: In this latest spear-phishing attack, the cybercriminals used the World Expo 2025 in Osaka, Japan, as bait to entice victims. The email contained a link to a ZIP archive titled “The EXPO Exhibition in Japan in 2025.zip,” hosted on Microsoft OneDrive, which, when opened, triggered the deployment of malicious malware.

📥 How the Attack Works: The Windows shortcut file (“The EXPO Exhibition in Japan in 2025.docx.lnk”) embedded in the archive, once executed, set off an infection sequence, deploying two types of backdoor malware: ANEL and NOOPDOOR.

🔑 The Malware: ANEL (aka UPPERCUT) and NOOPDOOR (aka HiddenFace) are part of the MirrorFace malware arsenal, which is used to gain root-level access to victims’ systems, allowing attackers to steal sensitive data. This marks the return of ANEL after almost five years, as LODEINFO had taken its place in 2019.

🌐 Expanding Reach: MirrorFace, which has been primarily focused on Japan, has now widened its scope, recently targeting organizations in Taiwan and India. This signifies a shift in their geopolitical targeting, while still maintaining their interest in Japan and related events. The attacks have become increasingly sophisticated, with cyber espionage being the end goal.

🛡️ Rising Threat of Chinese Nation-State Hackers: This attack comes amid growing concerns about Chinese-affiliated threat actors targeting critical infrastructure across the globe. Groups like Flax Typhoon, Granite Typhoon, and Webworm have been leveraging SoftEther VPN, an open-source multi-platform VPN, to maintain unauthorized access to compromised networks.

📉 What Does This Mean for Businesses?: This sophisticated attack on EU diplomats highlights the importance of vigilant cybersecurity practices, particularly with respect to spear-phishing and file-based malware. Organizations must be proactive in securing their systems and educating employees to recognize suspicious emails and attachments.

🔧 What Should You Do?:

🚨 Cybersecurity is critical: As cyber espionage becomes more sophisticated, it is crucial to ensure that your organization is prepared to defend against advanced persistent threats (APT) like MirrorFace and other nation-state attackers.

🛍️ BLACK FRIDAY & CYBER MONDAY DEALS — 50% OFF 🛍️

🎉 WIRE TOR is offering an exclusive 50% OFF on all our penetration testing services for Black Friday & Cyber Monday! Protect your business from cyber threats like MirrorFace and other cyber espionage attacks with our comprehensive cybersecurity solutions. Don’t miss out on this limited-time offer to safeguard your digital assets!

🚀 Act Fast: Our expert team is here to provide you with advanced security services, including network penetration testing, web app security, and more.

🌐 Secure Your Business Now with Wire Tor’s penetration testing services and take advantage of 50% OFF for a limited time!

💼 Protect Your Organization: Let us help you stay ahead of cyber threats and ensure your security is airtight.

🔐 Contact us today to schedule your free consultation and learn how we can help you secure your digital infrastructure!