MirrorFace (Threat Actor)

MirrorFace (Back to overview)

MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.

Associated Families

win.noopdoor win.lodeinfo

References

2024-07-16 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
MirrorFace Attack against Japanese Organisations
LODEINFO NOOPDOOR

2024-05-01 ⋅ ⋅ Macnica ⋅ Macnica Networks
The Reality of Targeted Attacks and Countermeasures: Trends in Cyber Espionage (Targeted Attacks) Targeting Japan FY2023
LODEINFO NOOPDOOR

2024-02-29 ⋅ YouTube (Kaspersky Tech) ⋅ Suguru Ishimaru
Unleashing the Secrets:A Full Analysis for the Complex LODEINFO v0.7.1
LODEINFO

2024-01-26 ⋅ Trendmicro ⋅ Hara Hiroaki, Masaoki Shoji, Nick Dai, Vickie Su, Yuka Higashi
Spot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha
Anel Cobalt Strike LODEINFO NOOPDOOR

2024-01-24 ⋅ ITOCHU ⋅ ITOCHU Cyber & Intelligence Inc.
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis
LODEINFO

2023-10-26 ⋅ ESET Research ⋅ ESET Research
ESET APT Activity Report Q2–Q3 2023
SimpleTea LODEINFO

2023-09-07 ⋅ Sekoia ⋅ Jamila B.
My Tea’s not cold. An overview of China’s cyber threat
Melofee PingPull SoWaT Sword2033 MgBot MQsTTang PlugX TONESHELL Dalbit MirrorFace

2023-01-25 ⋅ N.F.Laboratories Inc. ⋅ Daisuke Saika, Hiroki Kubokawa, Ryo Minakawa
Fighting to LODEINFO Investigation for Continuous Cyberespionage Based on Open Source
LODEINFO

2022-12-14 ⋅ ESET Research ⋅ Dominik Breitenbacher
Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
LODEINFO MirrorFace

2022-10-31 ⋅ Kaspersky Labs ⋅ Suguru Ishimaru
APT10: Tracking down LODEINFO 2022, part I
LODEINFO

2022-10-31 ⋅ Kaspersky Labs ⋅ Suguru Ishimaru
APT10: Tracking down LODEINFO 2022, part II
LODEINFO

2021-02-18 ⋅ JPCERT/CC ⋅ Kota Kino
Further Updates in LODEINFO Malware
LODEINFO

2021-01-19 ⋅ ⋅ Twitter (@jpcert_ac) ⋅ JPCERT/CC
Tweet on LODEINFO ver 0.47 spotted ITW targeting Japan
LODEINFO

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-06-20 ⋅ Cyber And Ramen blog ⋅ msec1203
Analysis of LODEINFO Maldoc
LODEINFO

2020-06-11 ⋅ ⋅ JPCERT/CC ⋅ Kota Kino
マルウエアLODEINFOの進化 (Evolution of Malware LODEINFO)
LODEINFO

2020-05-01 ⋅ Macnica Networks ⋅ Macnica Networks, TeamT5
Cyber Espionage Tradecraft in the Real World Adversaries targeting Japan in the second half of 2019
TSCookie LODEINFO

2020-02-27 ⋅ JPCERT/CC ⋅ Kota Kino
Malware “LODEINFO” Targeting Japan
LODEINFO

2020-02-20 ⋅ ⋅ JPCERT/CC ⋅ Kota Kino
日本国内の組織を狙ったマルウエアLODEINFO
LODEINFO

Credits: MISP Project