Japan\u2019s tax season has become a hunting ground for a well-organized threat actor known as Silver Fox. <\/p>\n
As Japanese companies enter their annual cycle of tax filing, salary reviews, and personnel changes, this group is taking full advantage of the moment \u2014 sending highly targeted spearphishing emails designed to look like routine internal communications. <\/p>\n
The campaign currently targets manufacturers and various other businesses across Japan, exploiting a time when employees are naturally expecting emails about financial and HR matters.<\/a><\/p>\n Silver Fox has been active since at least 2023. The group initially focused on Chinese-speaking targets before expanding operations into Southeast Asia, Japan, and potentially North America, running each campaign in the local language. <\/p>\n Over the years, the group has targeted a wide range of industries \u2014 finance, healthcare, education, gaming, government, and even cybersecurity. <\/p>\n This broad reach shows that Silver Fox is not a one-trick operation; it adapts its tactics to fit the environment and the season. <\/p>\n This latest campaign against Japan is a continuation of a pattern observed during the same period last year, confirming that the group deliberately times its attacks around predictable business cycles.<\/a><\/p>\n WeLiveSecurity analysts identified this ongoing campaign<\/a> and noted that Silver Fox\u2019s emails are not generic blasts. The attackers conduct prior reconnaissance on each target, gathering real employee names and even CEO identities to use as spoofed senders. <\/p>\n Each email includes the target company\u2019s name directly in the subject line, making the message feel like a legitimate internal notification. <\/p>\n Subject lines reference topics such as tax compliance violations, salary adjustments, employee stock ownership plan changes, and personnel updates \u2014 exactly the kind of messages employees expect and trust during this busy season. <\/p>\n This level of pre-attack research is what separates Silver Fox from lower-tier threat actors and makes its campaigns significantly harder to spot.<\/p>\n The emails carry either malicious attachments or links that lead to pages where victims are instructed to download a file. <\/p>\n These shows the examples of spearphishing emails<\/a> distributed on March 11 and March 12, 2026, respectively, while a tax-related lure webpage used to push the malicious download. <\/p>\n Opening any of these files drops ValleyRAT onto the victim\u2019s machine \u2014 a remote access trojan that ESET products detect as Win64\/Valley. Once installed, ValleyRAT gives the attacker full remote control of the compromised system. <\/p>\n This allows them to steal sensitive data<\/a>, monitor user activity, and move deeper into the network to set up further stages of the attack.<\/a><\/p>\n The infection chain behind this particular campaign is straightforward but effective. After a victim opens the malicious file \u2014 typically disguised as a salary notice or HR document \u2014 ValleyRAT silently takes hold of the system. <\/p>\n The trojan then maintains persistence in the environment, meaning it continues running even after restarts, keeping the attacker\u2019s access alive over time. <\/p>\n The files are often delivered through publicly available file-hosting services such as gofile[.]io or WeTransfer, which adds another layer of deception since these are recognizable platforms. <\/p>\n Archives in RAR or ZIP format are commonly used to package the payload, making it less immediately obvious to the recipient.<\/a><\/p>\n To reduce the risk of falling victim to this campaign, WeLiveSecurity researchers recommended that employees verify any email about salary changes, tax penalties, or personnel updates through a separate channel \u2014 such as a phone call or a direct message \u2014 before taking any action. <\/p>\n Recipients should also check whether the sender\u2019s email address actually matches the name displayed, as mismatches are a common sign of spoofing. <\/p>\n Employees should also be cautious if the language in the email feels unusually stiff or formal, since Silver Fox operators are not native Japanese speakers and subtle phrasing errors sometimes appear in the messages. <\/p>\n Organizations are also advised to keep security software<\/a> up to date and to promptly report any suspicious email to the IT or security team, even when the email appears routine at first glance.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Silver Fox Campaign Hits Japanese Businesses With Tax-Themed Phishing Lures<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Spearphishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjVgFHHP_cankfTdah6Srhq81xUd2IUmsSxapdjodlyk50XBiW31VbSieqvngcqqWt4AVfGf5HtLflSHTlCTCjzGhy24PNir8S5OfCQzMVbjJHSLGgMQKtB6HqPUFcEuBjZl_jChnH3evdSNfC5ferjHrLDEcqM__QxZPTDmhKGSaj13SvvuFS2XwlEkE8\/s16000\/Spearphishing%2520email%2520distributed%2520on%25202026-03-11%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
![\"Spearphishing](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhAktsikQ-6qaPyoLScFGQfy86-8s0eyy9PdypdXJkQ86PWQ8h7eOPklYTV20pcudgdnKjghFy0j8Ouzyjysp_4at2OQ7GRrYZoH5LNUGOr9Oc2LfUFKpmRnxGKHX7GSSWxxeIFR-Ij4TCvMoxCe1xtscsm-oY61JszA9DNu3RtCTO16HVpnOjjX9Gribw\/s16000\/Spearphishing%2520email%2520distributed%2520on%25202026-03-12%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
![\"Tax-related](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRBSj-dyglCcFiwb9EHEKuORBm5Mmm5_6bqRqqfxjEx6UZ2M2rKes1Rp3RWMgKcK_TI92-yGtqhRTVKdhuSacmT3CQXYa1Ft7hfXh0H78_-RK9M60do9zUw77gqJp5vFKQ5xZ6RX1pP7tD0hYAYmFT4EOw3Z418WUZTlWFMetF1dSvE4mpxrugo5elN24\/s16000\/Tax-related%2520lure%2520webpage%2520instructing%2520the%2520target%2520to%2520download%2520a%2520malicious%2520file%2520%28Source%2520-%2520Welivesecurity%29.webp?ssl=1\")
How the Attack Is Structured<\/strong><\/h2>\n