MirrorFace

Threat Actors · MirrorFace

· ATT&CK GroupG1054

Earth Kasha

Techniques

Software

Tactics

Aliases

Description

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)

Tactic Coverage

discovery (10)stealth (6)execution (5)defense impairment (5)credential access (4)collection (4)initial access (3)lateral movement (2)command and control (2)resource development (2)exfiltration (1)persistence (1)reconnaissance (1)

Techniques Used (43)

T1003.001LSASS Memory

credential access

T1003.002Security Account Manager

credential access

T1003.003NTDS

credential access

T1005Data from Local System

collection

T1007System Service Discovery

discovery

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 43 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (16)

S0190BITSAdmintool S0154Cobalt Strikemalware S9021DOWNIISSAmalware S9023HiddenFacemalware S9020LODEINFOmalware S9022MirrorStealermalware S9025NOOPLDRmalware S0039Net

References (8)

https://attack.mitre.org/groups/G1054 https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html