惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
WordPress大学
WordPress大学
云风的 BLOG
云风的 BLOG
Stack Overflow Blog
Stack Overflow Blog
MongoDB | Blog
MongoDB | Blog
腾讯CDC
V
V2EX
Martin Fowler
Martin Fowler
A
About on SuperTechFans
大猫的无限游戏
大猫的无限游戏
Blog — PlanetScale
Blog — PlanetScale
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
C
Check Point Blog
博客园 - 【当耐特】
Cisco Talos Blog
Cisco Talos Blog
The Hacker News
The Hacker News
K
Kaspersky official blog
Security Latest
Security Latest
H
Help Net Security
博客园_首页
美团技术团队
Spread Privacy
Spread Privacy
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
S
SegmentFault 最新的问题
G
Google Developers Blog
NISL@THU
NISL@THU
爱范儿
爱范儿
I
Intezer
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
N
News and Events Feed by Topic
P
Privacy International News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
S
Security @ Cisco Blogs
Schneier on Security
Schneier on Security
雷峰网
雷峰网
人人都是产品经理
人人都是产品经理
V
Vulnerabilities – Threatpost
W
WeLiveSecurity
P
Palo Alto Networks Blog
G
GRAHAM CLULEY
Hacker News: Ask HN
Hacker News: Ask HN
I
InfoQ
The Cloudflare Blog
F
Full Disclosure
SecWiki News
SecWiki News
宝玉的分享
宝玉的分享
N
Netflix TechBlog - Medium

WeLiveSecurity

Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think Faking it on the phone: How to tell if a voice call is AI or not PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE Cybersecurity Awareness Month 2025: Knowledge is power This month in security with Tony Anscombe – September 2025 edition Roblox executors: It’s all fun and games until someone gets hacked DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception Watch out for SVG files booby-trapped with malware Gamaredon X Turla collab Small business, big risk: How SMBs can fight back against ransomware HybridPetya: A Petya/NotPetya copycat comes with a twist Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass Are cybercriminals hacking your systems – or just logging in? Preventing business disruption and building cyber-resilience with MDR Under lock and key: Safeguarding business data with encryption GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes This month in security with Tony Anscombe – August 2025 edition Don’t let “back to school” become “back to bullying”
A cunning predator: How Silver Fox preys on Japanese firms this tax season
Dominik BreitenbacherTakahiro Sajima · 2026-03-27 · via WeLiveSecurity

Business Security

Silver Fox is back in Japan, spoofing tax and HR emails timed to the one season when no one thinks twice about opening them

27 Mar 2026  •  , 4 min. read

A cunning predator: How Silver Fox preys on Japanese firms this tax season

Japan has entered its annual tax filing and organizational change season, a period when companies generate a high volume of legitimate financial and HR‑related communications. A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.

The ongoing campaign uses convincing phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans. All emails share the same goal – trick the recipients into opening malicious links or attachments. As employees actually expect to receive emails about these subjects this time of year, they’re more likely to trust and act on such messages without a second thought. Needless to say, this significantly increases the risk of compromise.

The operation is also a reminder for organizations to increase vigilance, reinforce awareness around phishing attempts, and ensure that employees verify the authenticity of tax‑ and HR‑themed requests – including those that look routine. Immediate reporting of suspicious emails to security teams is essential to reduce exposure and prevent successful compromise.

What is the threat?

Active since at least 2023, Silver Fox initially focused on Chinese-speaking targets before expanding into Southeast Asia, Japan, and potentially North America, running each campaign in a local language. This broadened scope shows in the range of verticals the group has hit over the years – finance, healthcare, education, gaming, government and even cybersecurity. The group also primarily operates in Southeast Asia and has a well-documented history of finance-themed spearphishing campaigns during seasonal business cycles.

In the ongoing campaign, the group is taking advantage of Japan’s annual cycle of tax filing, financial reporting, salary adjustments, and personnel changes. This pattern isn’t new – similar activity was observed during the same period last year, indicating that Silver Fox deliberately aligns its operations with this season. The volume and urgency of legitimate internal communication around these topics is high this time of year, which is exactly what Silver Fox is counting on and what makes its campaigns effective.

In this operation, Silver Fox sends tailored spearphishing emails crafted to look like legitimate HR or tax-related messages. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line. Examples of subjects observed in this campaign include:

  • 「会社名 」【従業員持株会規約改正に関するお知らせ】
    (Translation: <Company Name> Notice of amendments to the ESOP terms and conditions])
  • 「会社名 」【従業員持株会規約の一部改正について】
    (Translation: <Company Name> [Revisions to the ESOP Terms and Conditions])
  • 「会社名 」【人事異動・給与改定について】
    (Translation: <Company Name> [Personnel Changes and Salary Adjustments])
  • 税務コンプライアンスおよび罰金通知
    (Translation: Tax Compliance and Penalty Notice)

The sender fields impersonate real employees and even CEOs at the targeted companies. Silver Fox is clearly doing some reconnaissance on each target before sending what aren’t generic blasts. The attackers are picking names that the targets are likely to recognize and trust, which makes it more difficult for the recipients to distinguish the malicious messages from real internal notifications.

The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents, such as:

  • 【給与調整のお知らせ】
    (Translation: Salary Adjustment Notice)
  • 人事異動・給与改定について
    (Translation: Personnel Changes and Salary Adjustments)
  • 人事異動及び給与改定に関するお知らせ
    (Translation: Notice regarding personnel changes and salary adjustments)
  • 【従業員持株会規約の一部改正について】
    (Translation: [Partial amendment to the Employee Stock Ownership Plan terms and conditions])

The following are examples of observed emails and lures:

Figure_1_CN_SilverFox_spearphishing_2026-03-11
Figure 1. Spearphishing email distributed on 2026-03-11
Figure_2_CN_SilverFox_spearphishing_2026-03-12
Figure 2. Spearphishing email distributed on 2026-03-12
Figure_3_CN_SilverFox_tax-related_lure_webpage
Figure 3. Tax-related lure webpage instructing the target to download a malicious file

Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. ESET products detect this malware as Win64/Valley. Once deployed, ValleyRAT enables the actor to take remote control of the compromised machine, harvest sensitive information, monitor user activity, and maintain persistence in the targeted environment. This can allow the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack.

How to recognize the threat and protect yourself

While Silver Fox’s emails may appear credible at the first glance, especially during Japan’s busy tax and organizational change season, a closer look reveals hints rendering the emails suspicious. The following signs are the key to recognizing and stopping the attack:

  • If you receive an email about salary changes, tax penalties, or personnel updates, verify it through a separate channel (Teams, phone, or direct email lookup) before acting on it. This applies even if the message looks routine.
  • Even if the sender’s name belongs (or seems to belong) to a colleague, make sure that the email address and the name match. If they don’t or the address looks unfamiliar, treat the email as suspicious.
  • Ask yourself whether this communication follows your company’s usual HR or Finance process.
  • Be cautious if the language feels overly formal, stiff, or mismatched with typical internal communications. Since the threat actor is not a native Japanese speaker, the emails may contain awkward phrasing and subtle giveaways.
  • Documents are unlikely to be shared through a publicly available file hosting services such as gofile[.]io or WeTransfer.
  • Pay attention to the attachment type. If it’s an archive such as RAR or ZIP, look at what’s actually inside before opening the files.
  • Install software updates when prompted.
  • Ensure your security software is running and up-to-date.
  • If something feels off about an email, forward it as an attachment to your IT or security team. Reporting is never a mistake – even if the email turns out to be legitimate.

The following are illustrative examples of what to watch out for:

Figure_4_CN_SilverFox_spearphishing_2026-03-12_indicators
Figure 4. Signs revealing that the email is not legitimate
Figure_5_CN_SilverFox_spearphishing_2026-03-11_indicators
Figure 5. Signs revealing that this email is not legitimate, either

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.


Let us keep you
up to date

Sign up for our newsletters