Home/ Threat Actors/ MirrorFace

🇨🇳MirrorFace

🇨🇳 MirrorFace is a tracked threat actor in the Clankerusecase corpus. CN-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 43 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1054) ↗

14Use cases

0Articles

43Techniques

0IOCs

About this actor (MITRE)

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent [MirrorFace](https://attack.mitre.org/groups/G1054) operations included targets in Centra

Known aliases

MirrorFaceEarth Kasha

Top techniques

T1003.001 · LSASS Memory T1003.002 · Security Account Manager T1003.003 · NTDS

All other tracked techniques

T1005 · Data from Local System T1007 · System Service Discovery T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1027.013 · Encrypted/Encoded File T1033 · System Owner/User Discovery T1036.008 · Masquerade File Type T1047 · Windows Management Instrumentation T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1057 · Process Discovery T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1070.004 · File Deletion T1071.002 · File Transfer Protocols T1074.002 · Remote Data Staging T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.002 · Domain Account T1090 · Proxy T1114.001 · Local Email Collection T1190 · Exploit Public-Facing Application T1204.002 · Malicious File T1221 · Template Injection T1482 · Domain Trust Discovery T1553.002 · Code Signing T1556.002 · Password Filter DLL T1560.001 · Archive via Utility T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1574.001 · DLL T1587.001 · Malware T1588.002 · Tool T1591 · Gather Victim Org Information T1614.001 · System Language Discovery T1684.001 · Impersonation T1685 · Disable or Modify Tools T1685.005 · Clear Windows Event Logs T1686.003 · Windows Host Firewall

Detection use cases (14)

MirrorFace (Earth Kasha) Visual Studio Code remote-tunnel C2 abuse AI · profile SΣ MirrorFace LODEINFO / NOOPDOOR / ANEL DLL side-loading from user-writable directory AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Abnormal Security: malicious email opened MITRE match Authentication not detected on admin API endpoint MITRE match