C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
Analyst context for executives and security teams
Operation AkaiRyū matters because it shows a spearphishing-led espionage campaign can combine user-driven initial execution, Windows administration features, discovery activity, remote access tooling, and backdoor/loader malware in one intrusion pattern. For leaders, the practical question is not whether this exact campaign is present, but whether the organization can prove it would see and contain similar phishing-to-post-compromise behavior, especially where Japanese, Central European, diplomatic, academic, manufacturing, financial, defense, media, or other sensitive relationships are business-relevant.
Executive priority
Prioritize validation of email security, endpoint visibility, identity monitoring, and incident response readiness around spearphishing and follow-on execution. The ATT&CK record attributes the campaign to MirrorFace and describes targeting in Japan and Central Europe between June and September 2024, including use of UPPERCUT and other tooling. Executives should ask whether SOC and IR teams can connect a suspicious link or file to later PowerShell, command shell, WMI, MSBuild, Office macro persistence, Kerberos-related tooling, discovery commands, proxy/tunneling behavior, and remote access activity. This is useful for business continuity, audit evidence, and risk decisions because the weak point is often not one control, but gaps between email, endpoint, identity, and network telemetry.
Technical view
ATT&CK does not provide campaign-specific detection text or campaign platforms, so defenders should build validation from the related techniques and software. Focus on spearphishing follow-on behavior involving malicious links and files, Office template macros, PowerShell, Windows Command Shell, WMI, MSBuild, file deletion, system/network/file/browser discovery, remote access tools, and FRP-like proxying. The related software set includes Windows-associated malware and tools such as UPPERCUT, AsyncRAT, HiddenFace, ROAMINGHOUSE, ANELLDR, and Rubeus, plus cross-platform utilities such as Arp and FRP. Detection engineering should test whether alerts preserve the chain of evidence from initial user action through execution, persistence, discovery, credential/identity-relevant activity, command and control, and cleanup.
Likely telemetry
- Email security logs for spearphishing links, attachments, sender metadata, URL clicks, and delivered file details
- Endpoint process creation telemetry for PowerShell, cmd.exe, WMI activity, MSBuild.exe, Office-spawned child processes, and unusual script execution
- Office and macro-related telemetry, including template modification or macro execution where available
- File system events for suspicious drops, masqueraded file types, loader/backdoor artifacts, and file deletion after execution
- Windows event logs and EDR telemetry for remote execution, WMI, command-line arguments, and parent-child process relationships
Detection direction
- Validate correlation across email, endpoint, identity, and network events; isolated detections may miss the campaign-style sequence.
- Tune for suspicious Office-to-script or Office-to-system-utility process chains, while accounting for legitimate administrative and developer use of PowerShell, WMI, cmd.exe, and MSBuild.
- Review detections for masqueraded file types by comparing extension, icon, content, and file header where telemetry supports it.
- Hunt for discovery clusters after a suspicious user action: system information, network configuration, file and directory enumeration, and browser information discovery.
- Monitor remote access and proxy tools for abnormal use, especially where FRP-like tunneling or nonstandard remote administration appears on endpoints or servers.
Mitigation priorities
- Start with phishing resilience: strengthen email filtering, attachment/link controls, user reporting workflows, and rapid triage of clicked links or opened files.
- Harden execution paths commonly abused after phishing, including Office macro/template controls, script execution policy, and monitoring of trusted utilities such as WMI and MSBuild.
- Apply least privilege and administrative separation so user-driven compromise has limited ability to execute tools, discover sensitive resources, or persist.
- Improve endpoint detection and response coverage on Windows systems where the related tools and techniques are most represented, while noting the campaign object itself does not specify platforms.
- Control and monitor legitimate remote access and proxy tooling; maintain an approved inventory and investigate unapproved tunnels or remote sessions.
Analyst notes and limits
The most decision-useful aspect of this ATT&CK object is the relationship context: Operation AkaiRyū is described as a MirrorFace spearphishing campaign and is linked to a broad set of execution, persistence, discovery, stealth, command-and-control, remote access, and malware/tool relationships. UPPERCUT’s appearance is notable in the official description because it was previously thought to be exclusive to menuPass. This supports prioritizing detection around tool transfer, loaders, backdoors, trusted utility abuse, and post-phishing discovery rather than treating the campaign as only an email-security problem.
The official object has no campaign-level platforms, tactics, labels, or detection guidance. Related techniques and software provide useful defensive direction, but they do not prove those behaviors are present in any local environment. Claims about exposure, active exploitation, successful compromise, or detection coverage require organization-specific telemetry and investigation.
Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.001 | Malicious Link Sub-technique | During Operation AkaiRyū, MirrorFace lured users into executing malicious payloads with links to resources hosted on OneDrive.CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation AkaiRyū, MirrorFace used Word templates containing VBA code for malware execution.CitationESET MirrorFace 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | During Operation AkaiRyū, MirrorFace deployed multiple publicly available tools including PuTTY, FRP, and Rubeus.CitationESET MirrorFace 2025 |
| Enterprise | T1082 | System Information Discovery | During Operation AkaiRyū, MirrorFace collected system information.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1585.003 | Cloud Accounts Sub-technique | During Operation AkaiRyū, MirrorFace established OneDrive accounts to host malicious payloads.CitationESET MirrorFace 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation AkaiRyū, MirrorFace lured victims into executing malicious payloads by opening email attachments.CitationESET MirrorFace 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | During Operation AkaiRyū, MirrorFace used custom malware, as well as customized variants of publicly available tools.CitationESET MirrorFace 2025 |
| Enterprise | T1127.001 | MSBuild Sub-technique | During Operation AkaiRyū, MirrorFace used MSBuild to compile and execute its FaceXInjector injection tool.CitationESET MirrorFace 2025 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | During Operation AkaiRyū, MirrorFace cleared Windows event logs post compromise.CitationESET MirrorFace 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | During Operation AkaiRyū, MirrorFace abused a signed McAfee executable to load UPPERCUT.CitationESET MirrorFace 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation AkaiRyū, MirrorFace used `cmd.exe` to run PowerShell commands to drop additional files on the compromised host.CitationESET MirrorFace 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | During Operation AkaiRyū, MirrorFace used Arp and `dir` for discovery in compromised environments.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Operation AkaiRyū, MirrorFace deleted delivered tools and files from compromised hosts.CitationESET MirrorFace 2025 |
| Enterprise | T1219.001 | IDE Tunneling Sub-technique | During Operation AkaiRyū, MirrorFace abused Visual Studio Code (VS Code) remote tunnels to gain access and execute code on compromised machines.CitationESET MirrorFace 2025 |
| Enterprise | T1083 | File and Directory Discovery | During Operation AkaiRyū, MirrorFace enumerated file system details in compromised environments.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1608.005 | Link Target Sub-technique | During Operation AkaiRyū, MirrorFace used links to direct victims to malicious files hosted on OneDrive.CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During Operation AkaiRyū, MirrorFace distributed crafted spearphishing emails containing malicious attachments.CitationESET MirrorFace 2025CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1217 | Browser Information Discovery | During Operation AkaiRyū, MirrorFace exported Chrome web data including contact information, keywords, autofill data, and stored credit card information.CitationESET MirrorFace 2025 |
| Enterprise | T1219 | Remote Access Tools | During Operation AkaiRyū, MirrorFace used remote access tools including PuTTY.CitationESET MirrorFace 2025 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During Operation AkaiRyū, MirrorFace sent spearphishing emails with malicious OneDrive links.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | During Operation AkaiRyū, MirrorFace used compromised accounts to send spearphishing emails.CitationTrend Micro Earth Kasha Anel NOV 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT.CitationESET MirrorFace 2025 |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | During Operation AkaiRyū, MirrorFace loaded malicious Word templates containing VBA code leading to installation of UPPERCUT.CitationESET MirrorFace 2025 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | During Operation AkaiRyū, MirrorFace disguised LNK and SFX (self-extracting) files as Word documents to lure victims into opening malicious files.CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During Operation AkaiRyū, MirrorFace used PowerShell in execution chains to drop additional files such as embedded CAB files.CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | During Operation AkaiRyū, MirrorFace used free email providers such as Gmail for spearphishing.CitationTrend Micro Earth Kasha Anel NOV 2024CitationESET MirrorFace 2025 |
Groups, software, and campaigns
G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
S9026: ROAMINGHOUSE
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]
S9023: HiddenFace
HiddenFace is a modular backdoor developed and used exclusively by MirrorFace since at least 2021. HiddenFace can communicate both actively and passively and has been used against political and academic targets.[1][2][3]
S9027: ANELLDR
S1087: AsyncRAT
S0099: Arp
S0275: UPPERCUT
UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]
S1071: Rubeus
S1144: FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 02f5298496e1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET MirrorFace 2025
Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
Open source URL -
[2]
Trend Micro Earth Kasha Anel NOV 2024
Hiroaki, H. (2024, November 26). Guess Who’s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.
Open source URL -
[3]
mitre-attack C0060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.