Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

MirrorFace (Cybercriminals) – Threat Actor

January 30, 2025
Reading Time: 5 mins read
in Threat Actors
MirrorFace (Cybercriminals) – Threat Actor

MirrorFace

Location

China

Date of initial activity

2020

Suspected Attribution 

Cybercriminals

Motivation

Cyberwarfare

Software

Windows

Overview

The cyber threat landscape has become increasingly complex, with sophisticated actors employing advanced techniques to infiltrate organizations and compromise sensitive information. Among these, the MirrorFace threat actor has emerged as a formidable adversary, targeting a diverse range of institutions in Japan, including media outlets, political organizations, and educational institutions. Since its inception, MirrorFace has demonstrated a notable evolution in its tactics, techniques, and procedures (TTPs), shifting its focus from initial targets to more critical sectors such as manufacturers and research institutions. This transformation reflects a strategic pivot aimed at exploiting vulnerabilities in external assets and leveraging increasingly sophisticated malware, including the notorious NOOPDOOR and LODEINFO. The MirrorFace actor has been active since at least 2022, utilizing spear phishing campaigns as a primary method for initial access. Over time, however, its approach has expanded to encompass the exploitation of vulnerabilities in widely-used technologies, particularly targeting software such as Array AG and FortiGate. The combination of social engineering tactics and technical exploits has enabled MirrorFace to successfully breach defenses, infiltrating networks and gaining unauthorized access to sensitive information. The recent shift in focus to manufacturers and research institutions underscores the potential for greater disruption, as these sectors play a critical role in national security and economic stability.

Common Targets 

Information  Japan

Attack vectors

Software Vulnerabilities

How they work

Initial Access: The Art of Deception
The initial phase of a MirrorFace operation typically begins with social engineering, particularly through spear-phishing campaigns. These campaigns often involve meticulously crafted emails designed to appear legitimate, containing either links to malicious websites or attachments laden with malware. When an unsuspecting victim interacts with these elements, the threat actor gains a foothold within the targeted organization. Techniques such as T1192 (Spear Phishing Link) and T1193 (Spear Phishing Attachment) from the MITRE ATT&CK framework are emblematic of MirrorFace’s modus operandi, showcasing their reliance on human vulnerability to initiate attacks. Moreover, MirrorFace has been known to exploit vulnerabilities in widely used software applications, such as those from Array AG and FortiGate. By leveraging these weaknesses, they can bypass traditional security measures and execute arbitrary code on the target’s system. Techniques like T1203 (Exploitation for Client Execution) illustrate the group’s technical proficiency in exploiting software flaws to achieve initial access, thereby setting the stage for more invasive actions within the victim’s network.
Execution and Persistence: Establishing Control
Once inside a network, MirrorFace employs a variety of execution techniques to maintain persistence and control over compromised systems. Techniques such as T1543 (Create or Modify System Process) are utilized to establish a foothold, allowing the threat actor to execute malicious payloads and modify system processes to align with their objectives. This manipulation can facilitate the creation of backdoors, which grant ongoing access to the compromised systems, making it challenging for the victim to detect or remove the threat. In addition to direct system manipulation, MirrorFace often deploys advanced malware designed for data exfiltration and lateral movement within the network. The use of tools such as Remote Access Trojans (RATs) enables the threat actor to remotely control compromised machines, allowing them to harvest sensitive information, escalate privileges, and move laterally across the network. This strategic approach highlights MirrorFace’s understanding of network architecture and their ability to exploit it to their advantage.
Data Exfiltration and Impact
The ultimate goal of the MirrorFace threat actor is often data exfiltration, which can have devastating consequences for targeted organizations. Once they have navigated through the network and identified valuable assets, they employ techniques such as T1041 (Exfiltration Over Command and Control Channel) to transfer sensitive data back to their servers. This process is frequently conducted in a stealthy manner, utilizing encrypted channels to evade detection by security systems. The ramifications of such operations can be profound, not only impacting the financial standing of organizations but also threatening customer trust and regulatory compliance. For instance, when telecommunications or IT companies fall victim to these attacks, the breach of sensitive customer data can lead to significant reputational damage, legal consequences, and loss of market share.
Conclusion: The Ongoing Battle Against Cyber Threats
The technical operations of the MirrorFace threat actor illustrate the evolving landscape of cyber threats that organizations must navigate. By leveraging social engineering, exploiting software vulnerabilities, and deploying advanced malware, MirrorFace poses a significant challenge to cybersecurity professionals. As the tactics and techniques used by threat actors continue to evolve, it is imperative for organizations to enhance their security posture through employee training, robust incident response plans, and the implementation of advanced threat detection technologies. Understanding the operational intricacies of groups like MirrorFace is essential in the ongoing battle against cybercrime, enabling organizations to better prepare and defend against potential attacks.

MITRE Tactics and Techniques

Initial Access
T1192: Spear Phishing Link: Using deceptive emails containing malicious links to gain access to the target’s environment. T1193: Spear Phishing Attachment: Sending emails with attachments that contain malware to execute on the victim’s machine. T1203: Exploitation for Client Execution: Exploiting vulnerabilities in applications to execute code on the client side.
Execution
T1543: Create or Modify System Process: Creating or modifying processes to maintain persistence and execute malicious payloads. T1059: Command and Scripting Interpreter: Utilizing scripts or command-line interfaces to execute malicious commands on compromised systems.
Persistence
T1547: Boot or Logon Autostart Execution: Ensuring that malicious software starts automatically when the system boots or a user logs in. T1136: Create Account: Creating new user accounts to maintain access and control over the system.
Privilege Escalation
T1068: Exploitation for Privilege Escalation: Exploiting vulnerabilities in software or services to gain elevated privileges within the network.
Defense Evasion
T1070: Indicator Removal on Host: Deleting logs or other indicators of compromise to evade detection. T1027: Obfuscated Files or Information: Using obfuscation techniques to hide malicious files and activities from security tools.
Credential Access
T1003: Credential Dumping: Extracting account credentials from compromised systems. T1552: Unsecured Credentials: Searching for unsecured credentials in applications or files.
Lateral Movement
T1021: Remote Services: Using remote services (e.g., RDP, SMB) to move laterally within the network. T1080: Taint Shared Content: Compromising shared content, such as network shares or collaborative platforms, to access other systems.
Collection
T1119: Automated Collection: Using automated tools to collect data from compromised systems efficiently. T1041: Exfiltration Over Command and Control Channel: Transferring collected data back to the threat actor’s servers via a command and control (C2) channel.
Exfiltration
T1048: Exfiltration Over Alternative Protocol: Using non-standard protocols to transfer data out of the target environment, reducing the likelihood of detection.  
References:
  • MirrorFace Attack against Japanese Organisations
Tags: CyberwarfareFortiGateJapanLODEINFOMirrorFaceNOOPDOORThreat ActorsVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

Old Discord Links Now Lead To Malware

VexTrio TDS Uses Adtech To Spread Malware

Simple Typo Breaks AI Safety Via TokenBreak

Coordinated Brute Force Hits Tomcat Manager

SmartAttack Uses Sound To Steal PC Data

Pentest Tool TeamFiltration Hits Entra ID

Subscribe to our newsletter

    Latest Incidents

    Cyberattack On Brussels Parliament Continues

    Swedish Broadcaster SVT Hit By DDoS

    Major Google Cloud Outage Disrupts Web

    AI Spam Hijacks Official US Vaccine Site

    DragonForce Ransomware Hits Philly Schools

    Erie Insurance Cyberattack Halts Operations

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial