Are Chinese Cyber-Espionage Groups Expanding Their Operations Globally?

In a bold move marking a significant geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has targeted a diplomatic organization within the European Union (EU) for the first time. Historically, this subset of the broader APT10 group has primarily focused on Japanese targets, but recent operations have extended to Taiwan and India. This latest attack utilized the upcoming World Expo 2025 in Osaka, Japan, as a lure, reflecting evolving tactics aimed at cyber espionage and data theft.

MirrorFace’s Tactics and Malware Arsenal

Spear-Phishing and Malware Deployment

The specific attack on the EU diplomatic organization involved a sophisticated spear-phishing email. This email contained a link to a ZIP archive named “The EXPO Exhibition in Japan in 2025.zip," hosted on Microsoft OneDrive. Upon opening the archive, victims encountered a Windows shortcut file designed to initiate the infection process. This led to the deployment of ANEL and NOOPDOOR malware, two of MirrorFace’s favored tools. ANEL, in particular, drew significant attention due to its sudden reappearance after nearly five years. Previously thought to be replaced by LODEINFO around 2019, ANEL’s return signals a possible shift or diversification in MirrorFace’s approach.

The modus operandi of MirrorFace relies on highly targeted operations, typically executing fewer than ten attacks annually. This precision indicates reconnaissance and a deep understanding of their targets. By using the World Expo 2025 as bait, MirrorFace capitalizes on the high-profile nature of international events to catch the interest of their victims. The deployment of multiple malware variants showcases the group’s capability to adapt and utilize a diverse toolkit, enhancing their chances of a successful breach.

Credential Theft with MirrorStealer

Alongside backdoors like ANEL and NOOPDOOR, MirrorFace also employs a credential stealer named MirrorStealer. This tool is designed to extract sensitive information, including passwords and other login credentials, which can then be used to infiltrate networks further. By compromising these credentials, MirrorFace can gain prolonged access to victim environments, allowing them to exfiltrate valuable data over extended periods. This method underscores the group’s primary objective: cyber espionage and data theft targeting entities with high-value information.

Credential theft serves as a critical component in MirrorFace’s strategy, facilitating deeper network penetration and enabling long-term surveillance. The use of MirrorStealer aligns with their broader goal of gathering intelligence and compromising sensitive communications. Considering the rise in cyber activities by Chinese-affiliated actors, MirrorFace’s sophistication in deploying various malware highlights the advanced stage of their operations.

Broader Cyber Espionage Activities

Increased Activity by Chinese Groups

MirrorFace’s operations form part of a broader context of heightened cyber activities by Chinese-affiliated threat actors. Groups like Flax Typhoon, Granite Typhoon, and Webworm have increasingly leveraged open-source tools like SoftEther VPN to maintain stealthy and resilient access to compromised networks. This trend signifies an evolution in tactics where open-source solutions are adapted to circumvent traditional security measures. The strategic use of such tools complicates detection efforts, illustrating a growing sophistication within these attack campaigns.

Recent reports suggest that Volt Typhoon, another Chinese group, used Singapore Telecommunications (Singtel) as a testbed in a campaign targeting telecom companies and critical infrastructure. This tactic of targeting major telecommunications providers indicates a shift towards compromising essential communication networks, which can have cascading effects on national security and infrastructure. Additionally, other U.S.-based telecom providers, like AT&T, Verizon, and Lumen Technologies, reportedly faced similar threats from Salt Typhoon, highlighting the expansive reach and persistent nature of these campaigns.

Impact on Communications and Infrastructure

In a daring move signifying notable geographical expansion, the China-aligned hacking group MirrorFace, also known as Earth Kasha, has struck a diplomatic organization within the European Union (EU) for the first time. Previously, this faction of the wider APT10 group mainly targeted Japanese entities. However, its operations have recently broadened to include Taiwan and India. The group’s latest attack employed the upcoming World Expo 2025 in Osaka, Japan, as bait, highlighting its evolving strategies in cyber espionage and data theft.

Historically known for their sophisticated cyber-attacks, MirrorFace’s focus on Japan has meant rigorous defenses in that region. By turning attention to the EU, they exploit potentially less fortified cyber landscapes. This shift signifies not just a change in tactics but a strategic repositioning aimed at capturing more diverse intelligence. Such maneuvers underscore the persistent global threat posed by state-sponsored hacking groups. Their growing activity and expanding target range highlight the critical need for robust cybersecurity measures worldwide.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol