MirrorFace, a hacking group that researchers believe is aligned with China, has been spotted targeting a diplomatic organization in the European Union for the first time.

The Slovak cybersecurity company ESET described the incident on Thursday in its latest quarterly report, noting the move marks an expansion in the threat group’s range of targets which have historically been restricted to entities in Japan.

Although the identity of the target diplomatic organization wasn’t disclosed, the lure document in the spearphishing email maintained a Japanese theme, encouraging the target to download a document titled “The EXPO Exhibition in Japan in 2025.”

“Even considering this new geographic targeting, MirrorFace remains focused on Japan and events related to it,” reported ESET.

It follows Japanese authorities warning in July of an expansion in activities linked to MirrorFace. While the hackers focused initially on gaining access to “media, political organizations, think-tanks and universities” in the country, they were increasingly also including “manufacturers and research institutions.”

ESET wrote: “MirrorFace operations against its usual targets didn’t stop. We continued to see the threat actor targeting various Japanese organizations, such as a research institute and a political party.”

Alleged targeting of Japanese institutions by China-linked threat groups has increased in recent years. Last August, Japan’s own cybersecurity agency announced that it itself had been hacked, with the attackers potentially accessing sensitive data for nine months before being discovered.

Japan did not publicly attribute the incident to a specific threat actor. However, a report by the Financial Times, citing three government and private sector sources familiar with the situation, said that state-backed Chinese hackers were suspected of being behind the attack.

That followed a report by the Washington Post that the U.S. National Security Agency discovered Chinese military hackers had compromised Japan’s defense networks back in 2020, described as “one of the most damaging hacks” in Japan’s history.