China-Backed MirrorFace Trains Sights on EU Diplomatic Corps

Chinese APT groups increasingly lean on open source platform SoftEther VPN for network access. Now theyre lending their know-how to Iranian counterparts.

Infamous Chinese advanced persistent threat (APT) group MirrorFace has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups.
MirrorFace gained wide notoriety with its 2022 efforts to
interfere in Japanese elections
, and it has maintained operations in the country ever since. But researchers at ESET noticed the group recently popped up in the EU with espionage attacks against an unidentified diplomatic entity.
For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors, Jean-Ian Boutin, director of threat research at ESET, said in a statement about the findings. Many of these groups are particularly focused on governmental entities and the defense sector.
Beyond expanding operations to an entirely new continent, ESET said MirrorFace has started increasingly relying on
SoftEther VPN
to maintain access, but it is not the only group. Other China-backed APTs —
Flax Typhoon
,
Gallium
, and Webworm — have also shifted to the
open source, cross-platform VPN software
favored by many cybercriminals.
In February, a previously unknown adversary group called Hydrochasma was discovered
abusing SoftEther VPN in a cyber-espionage
campaign against Asia-based shipping companies. In April, Chinese language-speaking threat group ToddyCat was discovered
using SoftEther VPN to steal data
from government and defense targets in the Asia-Pacfic region on an industrial scale.
Now, researchers warn, those tactics have landed in Europe.
Some China-aligned APT groups have shifted to rely more on SoftEther VPN for various reasons. It’s a legitimate software, which helps avoid detection, says Mathiew Tartare senior malware researcher at ESET. Setting an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure allows them to easily blend the malicious traffic in the legitimate HTTPS traffic.
Tartare adds SoftEther VPN also lets attackers appear to be an authorized remote user accessing the network using everyday remote desk protocol (RDP) tools.
We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic, he says.
Notably, Chinese-backed APTs are also lending their cybercrime know-how to Iranian-backed adversaries for cyber-espionage against Iraq and Azerbaijan, as well as French diplomats, according to ESET. Additionally, Iran is putting its hackers to work gaining unauthorized access into financial services organizations across Africa.
Both Chinese and North Korean threat actors have upped the intensity of attacks on educational institutions in the US, South Korea, and Southeast Asia, the
ESET report
added.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
China-Backed MirrorFace Trains Sights on EU Diplomatic Corps