Hackers Aligned with China Target EU Diplomats Using World Expo 2025 Temptation
A diplomatic institution in the European Union has come under attack from hackers associated with China known as MirrorFace, marking the first instance of this group targeting an organization in this area.
“In this assault, the hackers enticed their victims using the upcoming World Expo scheduled for 2025 in Osaka, Japan,” ESET mentioned in its APT Activity Report covering the period from April to September 2024.
“Despite focusing on new geographical targets, MirrorFace continues to concentrate its efforts on Japan and events linked to it,” the report added.
MirrorFace, also known as Earth Kasha, is believed to be part of a larger group identified as APT10, which includes other clusters like Earth Tengshe and Bronze Starlight. The group has notably directed its activities towards Japanese entities since 2019; however, an expansion in its operations was witnessed in early 2023 to encompass targets in Taiwan and India.
Over time, the hackers’ toolkit has evolved to comprise malicious tools such as ANEL (also known as UPPERCUT), LODEINFO, and NOOPDOOR (referred to as HiddenFace), alongside a credential theft tool called MirrorStealer.
ESET informed The Hacker News that MirrorFace attacks are precise and typically average “fewer than 10 attacks per year.” The primary aim of these breaches is cyber espionage and data exfiltration. Notably, this is not the first instance of the hackers targeting diplomatic entities.
In the most recent incident identified by the Slovak cybersecurity firm, the victim received a targeted email with a link to a ZIP file (“The EXPO Exhibition in Japan in 2025.zip”) hosted on Microsoft OneDrive.
 |
| Image Source: Trend Micro |
The ZIP file contained a Windows shortcut file (“The EXPO Exhibition in Japan in 2025.docx.lnk”) which, when executed, initiated a sequence leading to the installation of ANEL and NOOPDOOR.
“Following its absence around the end of 2018 or the start of 2019, ANEL was thought to have been replaced by LODEINFO, which first appeared in 2019,” ESET noted. “Hence, the reappearance of ANEL after almost five years is intriguing.”
These developments coincide with the observation that threat actors associated with China, like Flax Typhoon, Granite Typhoon, and Webworm, are increasingly leveraging the open-source and multi-platform SoftEther VPN for maintaining access to victims’ networks.
Additionally, a report from Bloomberg revealed that the China-based Volt Typhoon infiltrated Singapore Telecommunications (Singtel) as a preliminary operation within a broader initiative targeting telecom companies and critical infrastructure. The breach was identified in June 2024.
Telecom and network providers such as AT&T, Verizon, and Lumen Technologies in the U.S. have also been subjected to cyber attacks by another Chinese state-sponsored group known as Salt Typhoon (aka FamousSparrow and GhostEmperor).
Recently, The Wall Street Journal reported the exploitation of these attacks to compromise cellular lines used by senior national security officials, policymakers, and politicians in the U.S. The operation also involved breaching communication services linked to a foreign ally closely cooperating with the U.S.
About Author
