Practical Cyber Intelligence for Business Leaders in Non-Superpower Nations

A Persistent Cyber Campaign Hidden in Plain Sight

What MirrorFace teaches Southeast Asia about patient, invisible threats

In January 2025, Japan's National Police Agency (NPA) issued an unusually direct public assessment. A China-linked cyber group known as MirrorFace had carried out continuous cyber-espionage operations against Japanese organizations since at least 2019.

According to the NPA, the activity spanned roughly six years and involved more than 200 confirmed incidents. Targets included government ministries — including Japan's Foreign Affairs and Defense ministries — the country's space agency, defense-related firms, semiconductor manufacturers, aerospace programs, politicians, journalists, and think tanks.

Most of these intrusions were designed to remain undetected. As a result, public awareness in Japan remained limited for years.

This is not only a Japanese case study. It illustrates how long-term cyber reconnaissance can unfold quietly — and how similar activity may already be present in your country.

I have worked in information security in Japan for over 20 years. What stands out in the MirrorFace activity is not technical novelty. It is the patience.

The operations were not focused on immediate financial gain. They appear designed to establish and maintain access inside networks over long periods — preserving options for future use, waiting for the moment geopolitical tension required them to act.

Three phases illustrate this progression:

Phase One (2019–2023): Social Engineering Early activity relied on targeted phishing emails sent to politicians, researchers, and journalists. Malicious files — associated with malware known as LODEINFO — were delivered as email attachments written in fluent Japanese, referencing current events such as Japan-US relations and Taiwan Strait tensions. Access remained unnoticed for years.

Phase Two (2023): Infrastructure Exploitation The group shifted toward exploiting unpatched vulnerabilities in widely used network equipment, including products from Fortinet, Citrix, and Array Networks. Organizations in semiconductor manufacturing, telecommunications, and aerospace were increasingly affected. In many cases, systems had simply not received routine security updates.

Phase Three (2024–present): Living Inside Legitimate Tools More recent activity involved using legitimate software as concealment. This included Visual Studio Code tunneling capabilities — hiding malicious commands inside a trusted developer tool — and execution within Windows Sandbox, a built-in Windows feature that most antivirus software cannot monitor. When the host computer is restarted, traces within the Sandbox are erased, leaving no evidence behind.

The broader lesson is straightforward: as defenses improved, the intrusion methods evolved accordingly.

MirrorFace activity has been reported beyond Japan — in Taiwan, India, and Europe. In campaigns tracked by Trend Micro and ESET through 2024 and early 2025, the group targeted government and public institutions in Japan and Taiwan concurrently.

In August 2024, security firm ESET confirmed that a diplomatic institution in Central Europe was targeted using a phishing lure referencing Expo 2025 Osaka — a Japanese event used to target a European embassy. The campaign, named Operation AkaiRyū (Japanese for "RedDragon"), involved a backdoor called ANEL that had been dormant since 2019 and was revived and upgraded for the operation.

The pattern is consistent: Japan serves as the primary testing ground. Expansion follows to adjacent or strategically connected environments.

If you operate a mid-size manufacturing company in Vietnam with Japanese clients, or manage infrastructure projects in Indonesia, or run a financial services firm in Thailand using the same Fortinet or Citrix products exploited in Phase Two — you are already in the same threat landscape. You are simply not yet the primary target.

Japan's new five-year Cybersecurity Strategy, adopted at a cabinet meeting on December 23, 2025, explicitly identified state-sponsored cyber operations linked to China, Russia, and North Korea as "serious threats" — an unusually direct public statement for Japan.

Three operational signals are particularly relevant for businesses outside Japan:

1. Geographic expansion. MirrorFace activity has moved from Japan-only targeting to Taiwan, India, Vietnam, and Europe between 2022 and 2025. The scope is widening systematically.

2. Rapid retooling. Malware families inactive for years — including the ANEL backdoor — have been revived and upgraded. This indicates sustained, well-funded development infrastructure, not an opportunistic operation.

3. Abuse of legitimate tools. Using Visual Studio Code, Windows Sandbox, and signed executables from trusted vendors means that traditional antivirus detection is largely blind to these methods. Organizations relying solely on antivirus software are exposed.

Practical steps for individuals and organizations in non-aligned countries

The tools exploited against Japan — Fortinet, Citrix, Array Networks — are the same tools used by businesses across Southeast Asia, South Asia, and the Middle East. The attack methods are documented. The defenses are achievable without a large security budget.

Five actions you can take this week:

① Patch your network perimeter — today. The vulnerabilities MirrorFace exploited in 2023 had available patches. The organizations that were breached had not applied them. Review your Fortinet, Citrix, Palo Alto, and Cisco devices. If they have not been updated in 90 days, treat them as high risk.

② Scrutinize unexpected emails on geopolitical topics. MirrorFace phishing emails referenced Japan-US relations, Taiwan, and international events. In your context, be cautious of unsolicited email referencing ASEAN summits, bilateral trade agreements, US-China tensions, or regional security events. These lures work against sophisticated government targets. They will work against you.

③ Audit developer tool usage. If your organization does not perform software development, tools such as Visual Studio Code should not be active on production systems. Unauthorized activity in PowerShell at unusual hours warrants immediate investigation.

④ Segment your network. Now, not next quarter. Phase Two targeted manufacturing and telecom companies and moved laterally across networks. If your accounting systems, operational infrastructure, and internet-facing services share the same network, a single breach compromises everything. Separation is not expensive. Recovery from a breach is.

⑤ Review logs regularly. Japan's NPA explicitly recommended centralized log management. Long-term intrusions leave traces — but only if someone is looking. If budget is limited, start with free tools: Windows Event Forwarding and centralized syslog collection.

I want to be direct about what this newsletter is and is not.

We are not anti-China. We are not pro-America. We do not advocate for any political position.

What Japan has learned — over more than a decade, at considerable cost — is that state-sponsored cyber operations follow geopolitical logic, not ethical logic. MirrorFace targeted Japan not because Japanese citizens had done anything wrong, but because Japan holds technology and intelligence that is valuable to a competing power.

Your country may hold valuable infrastructure data, supply chain access, trade intelligence, or serve as a transit point for regional financial flows. That is sufficient reason to be targeted.

The UN Security Council's permanent five — the US, UK, France, China, and Russia — possess the most sophisticated offensive cyber capabilities on earth. They use them. All of them.

Japan is not a permanent member. Japan does not have a veto. Japan cannot shape the rules of this game. But Japan has survived it, learned from it, and we intend to share what we have learned — in plain English, to anyone who needs it.

The $2 Billion Theft: How Japanese Stock Accounts Were Looted in 2025 — And the Phishing Playbook Now Spreading Across Asia

In the first months of 2025, criminal hackers hijacked Japanese brokerage accounts and executed billions of yen in unauthorized trades. By April alone, Japan's Financial Services Agency reported nearly $2 billion in fraudulent transactions across approximately 5,000 compromised accounts. The technique — phishing combined with real-time session hijacking and market manipulation — is now documented, understood, and spreading. If your country has growing retail investment platforms, this briefing is for you.

Written by a Japan-based information security professional with over 20 years of experience, in collaboration with AI assistants.

© 2026 Samurai Cyber Watch. Redistribution with attribution permitted for non-commercial use.