The China-aligned threat actor MirrorFace, associated with APT10, has targeted a diplomatic organization in the European Union for the first time, using the upcoming 2025 World Expo in Osaka, Japan, as a lure. MirrorFace has historically targeted Japanese entities since 2019 and expanded to Taiwan and India in 2023. The group’s toolkit includes malware like ANEL, LODEINFO, NOOPDOOR, and MirrorStealer for espionage and data theft. The recent attack involved a spear-phishing email with a malicious ZIP archive hosted on Microsoft OneDrive, which delivered ANEL and NOOPDOOR. ANEL's reappearance is notable, as it had not been seen since 2019. Other Chinese-affiliated threat actors, such as Flax Typhoon and Granite Typhoon, have increasingly used the SoftEther VPN for persistent access to networks.