MirrorFace Cyber Espionage Campaign Targets Government Entities in Japan and Taiwan
May 8, 2025 – In a concerning trend in cyber warfare, the nation-state threat actor known as MirrorFace has been detected deploying a sophisticated malware variant named ROAMINGMOUSE. This campaign appears to be primarily focused on government bodies and public institutions located in Japan and Taiwan. The security firm Trend Micro uncovered this activity in March 2025, indicating a deliberate strategy centered around cyber espionage.
The campaign utilizes spear-phishing tactics to distribute an upgraded backdoor known as ANEL. According to security researcher Hara Hiroaki, the latest iteration of the ANEL malware introduced a new command facilitating the execution of a Beacon Object File (BOF) directly in memory. This sophisticated functionality enhances its stealth capabilities, allowing attackers to operate undetected within compromised systems. Additionally, there are indications that the threat actor may have utilized SharpHide to initiate a secondary backdoor known as NOOPDOOR, further increasing the threat level.
MirrorFace, also referred to as Earth Kasha, is believed to be an offshoot of the advanced persistent threat group APT10, which has a history of targeting various sectors worldwide. Earlier in 2025, another campaign named Operation AkaiRyū was publicly addressed by ESET, revealing that it had previously targeted a diplomatic organization within the European Union during August 2024 using the same malware, then identified as UPPERCUT.
The recent activity of MirrorFace raises significant alarms regarding the ongoing cybersecurity challenges faced by critical infrastructure and governmental bodies in both Japan and Taiwan. As cyber threats become increasingly sophisticated, attackers often employ techniques outlined in the MITRE ATT&CK framework, such as initial access via phishing, maintaining persistence with malware, and privilege escalation to gain deeper access within networks.
Both Japan and Taiwan, as key players in regional stability and economic innovation, must remain vigilant. In light of these developments, stakeholders in the public and private sectors alike need to bolster their cyber defenses, reinforcing their capacity to detect and respond to incidents effectively. By understanding the tactics and techniques typically used by adversaries like MirrorFace, organizations can better prepare for future threats that challenge data integrity and national security.
As the landscape of cybersecurity evolves, continuous monitoring and adaptation will be crucial for safeguarding sensitive information from advanced threats. Stakeholders should remain informed about emerging trends in malware deployment and ensure comprehensive cybersecurity strategies are implemented within their organizations. This approach will not only protect sensitive data but also contribute to the broader resilience of the cybersecurity ecosystem in the region.
