200 Breaches & Counting—China’s ‘Mirror Face’ Hackers Now Hunting European Intelligence

Beijing, China - For years, China’s state-backed hackers have been stealing secrets, dodging firewalls, and making governments sweat. Now, one of its most notorious groups—Mirror Face, also known as Earth Kasha—is on the move again. After years of relentless attacks on Japan, these cyber mercenaries have shifted their focus to Europe, proving that Beijing’s cyber warfare ambitions are growing far beyond the Pacific.

Their latest operation, "AkaiRyū" (Red Dragon), is a chilling reminder of just how deep China’s cyber fingers reach into foreign systems. The target? A European diplomatic organization. The method? Deceptively crafted phishing emails disguised as World Expo information that lured victims into clicking malicious attachments. Once the door was open, malware like ANEL and AsyncRAT slithered in, handing full control of the compromised systems to the hackers.

For those who’ve been tracking Mirror Face’s six-year hacking spree, this move was inevitable.

The Evolution of a Cyber Menace: Mirror Face’s Attack Timeline

China’s cyber espionage game is not new, and Mirror Face has been fine-tuning its tactics for years. Here’s how they’ve been tightening their grip on Japan before setting their sights on Europe:

1. 2019 - 2023: Initial attacks focused on government agencies, media, and politicians. Simple phishing emails with malware-laced attachments did the trick.
2. June 2023: The game changed. Mirror Face began exploiting security flaws in semiconductor, aerospace, and ICT industries, diving deeper into Japan’s economic backbone.
3. January 2024: The latest phase. Now, it’s think tanks, academics, and politicians under fire. The goal? Long-term infiltration and slow, calculated data theft.

Why Mirror Face is Dangerous: Sophisticated, Silent, and Stealthy

This isn’t just run-of-the-mill hacking. Mirror Face is evolving, making detection a nightmare. The group has moved beyond basic backdoors and now relies on advanced tools to evade security systems:

VSCode Tunnels – This trick allows them to execute commands remotely without setting off alarms.

Windows Sandbox Evasion – They run malware in a sandbox, which keeps it hidden from antivirus programs.

PowerShell Exploits – Mirror Face manipulates PowerShell commands to slip through cybersecurity defences undetected.

Japan’s National Police Agency (NPA) has urged organizations to watch out for unusual PowerShell activity and suspicious VSCode traffic, but it’s a cat-and-mouse game—and the cat is getting smarter.

Japan Under Siege: 200+ Cyber Breaches & Billions at Risk

Japan has been Mirror Face’s favourite hunting ground, and the numbers tell a chilling story- Over 200 confirmed cyber breaches in the past six years. One of the top targets of the breaches have been the Aerospace agencies, semiconductor firms, and the defence sector.

The biggest hit sustained by Japan has been its Aerospace Exploration Agency (JAXA)—sensitive aerospace data was stolen in 2023. The objective? Stealing critical technological and military secrets, giving China an edge in defence, AI, and next-gen warfare.

Europe in the Crosshairs: China’s Cyber War is Going Global

What’s truly alarming is Mirror Face’s expansion beyond Asia. With their latest Red Dragon attack on a European diplomatic entity, it’s clear: Japan was just the testing ground—now, Europe is the next battlefield. China is systematically targeting regions with strategic and technological advantages. This isn’t just espionage—it’s digital warfare designed to shift the balance of power.

The old wars were fought with tanks and missiles. The new ones? Fought in cyberspace, where lines are blurred, and damage is harder to quantify but just as devastating. China’s cyber army is playing the long game, and Mirror Face is just one of many groups doing Beijing’s dirty work.

With their increasingly stealthy tactics and evolving malware, they are becoming harder to track, harder to stop, and more dangerous than ever. Japan’s cyber nightmare is now Europe’s problem too, and if the world doesn’t step up its cybersecurity game, Mirror Face won’t stop here.