Cyber Resilience

Threat actor · all actors

MirrorFaceG1054 unknown

aka MirrorFace, Earth Kasha

Last updated: 2026-07-03

2attributed CVEs
65ATT&CK techniques
7.2IDF score (tooling uniqueness)
0exclusive CVEs
2023years active

About this actor

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent [MirrorFace](https://attack.mitre.org/groups/G1054) operations included targets in Central Europe and featured use of [LODEINFO](https://attack.mitre.org/software/S9020), [HiddenFace](https://attack.mitre.org/software/S9023), and [UPPERCUT](https://attack.mitre.org/software/S0275) malware.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: Kaspersky LODEINFO Part II OCT 2022)(Citation: ESET MirrorFace DEC 2022)(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2023-3466 5.58.30.03042023-07-19see CVE
CVE-2023-3467 5.58.00.02102023-07-19see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-442 / 6565%
CM-638 / 6558%
CM-236 / 6555%
SI-333 / 6551%
CM-731 / 6548%
AC-326 / 6540%
CA-726 / 6540%
AC-224 / 6537%
AC-623 / 6535%
SI-722 / 6534%
AC-419 / 6529%
SC-719 / 6529%
AC-516 / 6525%
SI-1016 / 6525%
CM-515 / 6523%

Co-occurring actors

Similar actors

Similar TTPs

Overlapping CVEs

Active in same years