The China-aligned threat actor MirrorFace (Earth Kasha), part of APT10, targeted a Central European diplomatic institute in a campaign named Operation AkaiRyū (RedDragon). This attack marks a departure from its usual Japanese targets. ESET detected the attack in August 2024, where MirrorFace used the ANEL backdoor (aka UPPERCUT), previously abandoned in 2019, replacing LODEINFO. The campaign also deployed a modified AsyncRAT and leveraged Visual Studio Code Remote Tunnels for stealthy access. Attackers used spear-phishing to deliver malware via DLL side-loading. A modular backdoor named HiddenFace (NOOPDOOR) was also identified. MirrorFace improved operational security by deleting tools, clearing logs, and using Windows Sandbox to hinder investigations.

‍