MirrorFace

216.73.216.226

· Published 21/12/2025 04:36 · Modified 04/05/2026 16:33 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 21/12/2025 04:36
Modified: 04/05/2026 16:33
Updated at: 04/05/2026 16:33
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 77 attack patterns (mitre), 12 malware, 6 sectors, 1 countries, 16 indicators, 1 vulnerabilities (cve), 8 tool, 1 campaign

Description

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent [MirrorFace](https://attack.mitre.org/groups/G1054) operations included targets in Central Europe and featured use of [LODEINFO](https://attack.mitre.org/software/S9020), [HiddenFace](https://attack.mitre.org/software/S9023), and [UPPERCUT](https://attack.mitre.org/software/S0275) malware.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)

Marking (TLP)

TLP:CLEAR

MirrorFace

Essential information

Description

Marking (TLP)

External references

Related entities

Reports (2)

Attack patterns (MITRE) (77)

Malware (12)

Sectors (6)

Countries (1)

Indicators (16)

Vulnerabilities (CVE) (1)

Tool (8)

Campaign (1)