G1054: MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
Analyst context for executives and security teams
MirrorFace is an ATT&CK group entry for a PRC-aligned cyberespionage actor, also known as Earth Kasha, associated with Japanese-sector targeting and later activity involving Central Europe. For leaders, the practical issue is not a single malware name; it is whether the organization can recognize espionage-style intrusion behavior that blends custom backdoors with normal Windows administration utilities and credential access activity.
Executive priority
Prioritize this as a readiness and exposure question for organizations with relevant regional, government, media, defense, diplomatic, financial, manufacturing, academic, or public-sector ties. Executives should ask whether SOC, identity, endpoint, and incident response teams can produce evidence for credential theft attempts, domain discovery, suspicious Windows utility use, and malware/backdoor activity tied to the related ATT&CK software. This object is also useful for audit and board reporting because it maps strategic threat intelligence to concrete control validation areas rather than relying on actor naming alone.
Technical view
ATT&CK provides no group-level detection text, no group-level tactics, and no group-level platforms, so defenders should pivot from the relationships. MirrorFace is linked to Windows-heavy tooling and behaviors including LODEINFO, HiddenFace, UPPERCUT, DOWNIISSA, MirrorStealer, NOOPLDR, ROAMINGHOUSE, Cobalt Strike, BITSAdmin, Net, Tasklist, Ping, ipconfig, nbtstat, Nltest, and Wevtutil. Related techniques include credential access against LSASS, SAM, and NTDS; discovery of services, network configuration, and remote systems; and collection from local systems. Validate whether detections connect these behaviors into intrusion narratives instead of treating each command-line utility as isolated administrative noise.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows utilities such as net, tasklist, ping, ipconfig, nbtstat, nltest, wevtutil, and bitsadmin
- Endpoint security alerts and file/memory indicators for related malware families: LODEINFO, HiddenFace, UPPERCUT, DOWNIISSA, MirrorStealer, NOOPLDR, and ROAMINGHOUSE
- Credential access evidence involving LSASS access, SAM access, and NTDS.dit access or copying
- Windows event logs and EDR telemetry from domain controllers, administrator workstations, and high-value endpoints
- Network telemetry for unusual HTTP-based backdoor communications, remote access tooling, and internal discovery patterns
Detection direction
- Do not rely on actor-name detections; validate behavior-based analytics for credential dumping, domain discovery, service discovery, local data collection, and suspicious use of built-in administration tools.
- Tune detections for context: utilities such as net, ping, ipconfig, tasklist, nbtstat, nltest, wevtutil, and bitsadmin have legitimate administrative use, so prioritize unusual parent processes, rare hosts, unusual users, sequencing, and execution on sensitive systems.
- Correlate malware alerts with discovery and credential-access telemetry. MirrorFace relationships include both custom malware and normal operating-system utilities, so single-signal detections may miss the broader intrusion pattern.
- Confirm visibility on domain controllers and systems likely to hold sensitive credentials or data, since related techniques include LSASS Memory, SAM, and NTDS.
- Review coverage for Operation AkaiRyū as campaign context where relevant, while avoiding assumptions that the campaign applies to the local environment without supporting evidence.
Mitigation priorities
- Harden credential stores and privileged access first: reduce standing administrative access, protect LSASS where feasible, monitor domain controllers, and restrict access to NTDS and backups.
- Improve endpoint and command-line logging coverage before relying on detections for living-off-the-land utilities.
- Restrict and monitor high-risk administrative tooling such as BITSAdmin and remote administration utilities according to business need.
- Segment and monitor high-value systems that align with espionage collection risk, including government, diplomatic, research, financial, manufacturing, media, and public-sector data environments where applicable.
- Prepare incident response playbooks for suspected credential theft and backdoor activity, including containment of privileged accounts, domain controller review, and scoping across endpoints and identity systems.
Analyst notes and limits
The decision value of this object is in its relationships: MirrorFace is associated with custom malware, Cobalt Strike, credential theft techniques, discovery techniques, and common Windows utilities. This supports purple-team and detection-engineering validation around intrusion chains rather than isolated indicators. The official description notes alignment, targeting history, aliases, and malware use, but local risk should be determined by business geography, sector, partner exposure, and telemetry maturity.
ATT&CK does not provide official detection guidance, group-level tactics, or group-level platforms for this object. Several platform details come from related software and technique objects, not from the group object itself. The supplied relationship excerpt for Operation AkaiRyū is truncated. This summary should not be read as evidence of active exploitation or confirmed exposure in any specific environment.
MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | MirrorFace has embedded OneDrive URLs in emails leading to malicious file installation.CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1057 | Process Discovery | MirrorFace has used Tasklist on compromised hosts for discovery.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | MirrorFace can modify the system firewall to allow communication to certain ports.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | MirrorFace has gathered data and files of interest on a single victim machine.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1685 | Disable or Modify Tools | MirrorFace has disabled Windows Defender in compromised environments.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1087.002 | Domain Account Sub-technique | MirrorFace has used native Windows tools to obtain domain user information.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | MirrorFace has deployed shellcode to check for Japanese Microsoft Office settings.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1591 | Gather Victim Org Information | MirrorFace has placed specific content in phishing emails to target members of particular political parties.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1090 | Proxy | MirrorFace has used the GO Simple Tunnel (GOST) proxy tool.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | MirrorFace has deleted Windows event logs.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | MirrorFace has used RDP to exfiltrate files of interest.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1587.001 | Malware Sub-technique | MirrorFace has created and continued to develop custom strains of malware including LODEINFO.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | MirrorFace has deleted directories containing malware and archives with files collected from the victim environment.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024CitationTrend Micro Earth Kasha Updates APR 2025CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | MirrorFace has used vssadmin to copy registry hives including SAM.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1083 | File and Directory Discovery | MirrorFace has run commands to check the content of folders on compromised hosts and has specifically targeted files with .doc, .ppt, .xls, .jtd, .eml, .xps, and .pdf extensions.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1482 | Domain Trust Discovery | MirrorFace has run `nltest.exe /domain_trusts` on compromised systems to discover domain relationships.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1684.001 | Impersonation Sub-technique | MirrorFace has sent targeted emails purporting to be from a Japanese political party’s PR department.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | MirrorFace has used tools including the Secure Copy Protocol (SCP) client from PuTTY and Cobalt Strike.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | MirrorFace has dumped LSASS memory for credential access.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | MirrorFace has lured victims into opening crafted Word, Excel, and SFX files for execution.CitationKaspersky LODEINFO OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024CitationTrend Micro Earth Kasha Updates APR 2025 |
| Enterprise | T1018 | Remote System Discovery | MirrorFace has used Ping for system discovery.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | MirrorFace has used ipconfig for reconnaissance.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1553.002 | Code Signing Sub-technique | MirrorFace has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1005 | Data from Local System | MirrorFace gathered data and files of interest from victim's systems.CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MirrorFace has used `cmd.exe` for malware execution, file discovery, and manual file manipulation.CitationTrend Micro Earth Kasha NOV 2024CitationTrend Micro Earth Kasha Updates APR 2025CitationJPCERT MirrorFace JUL 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | MirrorFace has sent spearphishing emails with malicious attachments to deliver malware payloads.CitationKaspersky LODEINFO OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | MirrorFace has used remote templates with VBA code in malware infection chains.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1007 | System Service Discovery | MirrorFace has used Tasklist for discovery post compromise.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1082 | System Information Discovery | MirrorFace has employed malicious macros and native Windows tools such as csvde.exe, nltest.exe and quser.exe for discovery.CitationITOCHU LODEINFO JAN 2024CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | MirrorFace has used Secure File Transfer Protocol (SFTP) for file exfiltration.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1574.001 | DLL Sub-technique | MirrorFace has used legitimate EXE files to load malicious DLLs via sideloading.CitationKaspersky LODEINFO OCT 2022CitationESET MirrorFace DEC 2022CitationITOCHU LODEINFO JAN 2024CitationTrend Micro Earth Kasha NOV 2024 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | MirrorFace has used SMB to copy malware between systems in compromised environments.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | MirrorFace has used the the PuTTY suite Secure Copy Protocol (SCP) client for file transfer.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1190 | Exploit Public-Facing Application | MirrorFace has exploited vulnerabilities in Fortigate and Array AG devices for initial access.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | MirrorFace has crafted malware payloads to appear as Privacy-Enhanced Mail (PEM) files.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1003.003 | NTDS Sub-technique | MirrorFace has dumped NTDS.dit through volume shadow copies.CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | MirrorFace has used rar.exe and the Makecab utility to archive files of interest prior to exfiltration.CitationESET MirrorFace DEC 2022CitationTrend Micro Earth Kasha NOV 2024CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1221 | Template Injection | MirrorFace has used remote template injection to retrieve malicious payloads from the C2.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1556.002 | Password Filter DLL Sub-technique | MirrorFace has used a tool named MRSAStealer as a password filter to collect credentials on password changes.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | MirrorFace has leveraged WMIC on targeted systems post compromise.CitationJPCERT MirrorFace JUL 2024 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | MirrorFace has exfiltrated stored emails from compromised hosts.CitationESET MirrorFace DEC 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | MirrorFace has used Base64 encoded shellcode in infection chains to evade detection.CitationITOCHU LODEINFO JAN 2024 |
| Enterprise | T1033 | System Owner/User Discovery | MirrorFace has used Windows native tools to enumerate user information.CitationTrend Micro Earth Kasha NOV 2024 |
Groups, software, and campaigns
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S9022: MirrorStealer
MirrorStealer is a credential stealer that has been used by MirrorFace since at least 2022 to steal credentials from various applications, including browsers and email clients. MirrorStealer has been delivered directly into system memory via commands issued by LODEINFO.[1]
S0275: UPPERCUT
UPPERCUT is a 32-bit HTTP-based backdoor that has been used by menuPass since at least 2017.[1] Once thought to be exclusive to menuPass, UPPERCUT was also observed being used by menuPass-associated MirrorFace during Operation AkaiRyū.[2]
S0359: Nltest
S0190: BITSAdmin
S0057: Tasklist
S0100: ipconfig
S9020: LODEINFO
LODEINFO is a fileless backdoor malware first identified in 2020 that has been used by actors including MirrorFace, primarily against media, diplomatic, governmental, and public sector organizations in Japan.[1][2][3]
S9026: ROAMINGHOUSE
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]
S9021: DOWNIISSA
DOWNIISSA is a shellcode downloader that has been used by MirrorFace since at least 2022 to deploy payloads, including the LODEINFO backdoor.[1]
S0102: nbtstat
C0060: Operation AkaiRyū
Operation AkaiRyū (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by MirrorFace between June and September 2024 against entities in Japan and Central Europe. Operation AkaiRyū notably included the first reported targeting of a European entity by MirrorFace, as well as their use of UPPERCUT, which was thought to be exclusive to menuPass.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 00c579b3156f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky LODEINFO OCT 2022
Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.
Open source URL -
[2]
Kaspersky LODEINFO Part II OCT 2022
Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part II. Retrieved April 17, 2026.
Open source URL -
[3]
ESET MirrorFace DEC 2022
Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.
Open source URL -
[4]
JPCERT MirrorFace JUL 2024
Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
Open source URL -
[5]
Trend Micro Earth Kasha NOV 2024
Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
Open source URL -
[6]
Trend Micro Earth Kasha Updates APR 2025
Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.
Open source URL -
[7]
Earth Kasha
(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)
-
[8]
mitre-attack G1054Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.