{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/silverfox/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Silver Fox"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["silverfox","spearphishing","valleyrat","japan","taxseason","remoteaccesstrojan"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Silver Fox threat actor, active since at least 2023, is conducting a spearphishing campaign targeting Japanese organizations during their annual tax filing and organizational change season. Initially focused on Chinese-speaking targets, Silver Fox has expanded its operations into Southeast Asia, Japan, and potentially North America. This campaign specifically exploits the high volume of legitimate financial and HR-related communications that occur during this period, making it more likely that employees will trust and act on malicious messages related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans. The group has targeted a range of verticals including finance, healthcare, education, gaming, government and cybersecurity. This campaign is a repeat of similar activity observed during the same period last year, indicating a deliberate alignment of operations with this seasonal business cycle.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker performs reconnaissance on targeted Japanese companies, gathering information on employee names and roles within HR and finance departments.\u003c/li\u003e\n\u003cli\u003eSpearphishing emails are crafted to impersonate real employees or even CEOs at the targeted companies. The emails often include the targeted company\u0026rsquo;s name in the subject line to enhance credibility.\u003c/li\u003e\n\u003cli\u003eThe emails are sent to employees during Japan\u0026rsquo;s tax filing and organizational change season, increasing the likelihood of the recipients opening the messages due to the expected volume of HR and financial communications.\u003c/li\u003e\n\u003cli\u003eThe emails contain malicious attachments, such as ZIP or RAR archives, or links leading to malicious files hosted on public file-sharing services like gofile[.]io or WeTransfer.\u003c/li\u003e\n\u003cli\u003eThe malicious files are named to resemble common HR, financial, or tax-related documents, such as \u0026ldquo;Salary Adjustment Notice\u0026rdquo; or \u0026ldquo;Notice regarding personnel changes and salary adjustments.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eWhen the recipient opens the malicious file, it drops ValleyRAT (detected as Win64/Valley by ESET products), a remote access trojan.\u003c/li\u003e\n\u003cli\u003eValleyRAT enables the attacker to take remote control of the compromised machine, harvest sensitive information, and monitor user activity.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence within the targeted environment, allowing for continued access and the potential for further malicious activities, such as data exfiltration or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this campaign can lead to a significant compromise of Japanese organizations, particularly manufacturers and businesses involved in finance, healthcare, education, gaming, government and cybersecurity. The deployment of ValleyRAT allows the attacker to gain remote access to compromised systems, potentially leading to the theft of sensitive financial data, intellectual property, and confidential employee information. This can result in financial losses, reputational damage, and legal repercussions for the affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ValleyRAT Execution\u0026rdquo; Sigma rule to identify instances where ValleyRAT is executed on endpoints (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for subjects containing company names along with keywords related to tax, HR, and salary adjustments, and alert on unusual patterns (email logs).\u003c/li\u003e\n\u003cli\u003eBlock connections to known malicious file hosting services like gofile[.]io and WeTransfer at the network level, as these are used to deliver the malicious payloads (network_connection logs).\u003c/li\u003e\n\u003cli\u003eEducate employees to verify any requests related to salary changes, tax penalties, or personnel updates through separate channels (awareness training).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all email accounts to prevent unauthorized access (authentication logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T12:00:00Z","date_published":"2026-03-28T12:00:00Z","id":"/briefs/2026-03-silverfox-japan-tax-season/","summary":"The Silver Fox threat actor is conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses, exploiting the annual tax filing and organizational change season by sending emails containing malicious attachments that deploy ValleyRAT, leading to remote access, data theft, and persistence.","title":"Silver Fox Spearphishing Campaign Targeting Japanese Firms During Tax Season","url":"https://feed.craftedsignal.io/briefs/2026-03-silverfox-japan-tax-season/"}],"language":"en","title":"CraftedSignal Threat Feed — Silverfox","version":"https://jsonfeed.org/version/1.1"}