{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spearphishing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Silver Fox"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["silverfox","spearphishing","valleyrat","japan","taxseason","remoteaccesstrojan"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Silver Fox threat actor, active since at least 2023, is conducting a spearphishing campaign targeting Japanese organizations during their annual tax filing and organizational change season. Initially focused on Chinese-speaking targets, Silver Fox has expanded its operations into Southeast Asia, Japan, and potentially North America. This campaign specifically exploits the high volume of legitimate financial and HR-related communications that occur during this period, making it more likely that employees will trust and act on malicious messages related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans. The group has targeted a range of verticals including finance, healthcare, education, gaming, government and cybersecurity. This campaign is a repeat of similar activity observed during the same period last year, indicating a deliberate alignment of operations with this seasonal business cycle.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker performs reconnaissance on targeted Japanese companies, gathering information on employee names and roles within HR and finance departments.\u003c/li\u003e\n\u003cli\u003eSpearphishing emails are crafted to impersonate real employees or even CEOs at the targeted companies. The emails often include the targeted company\u0026rsquo;s name in the subject line to enhance credibility.\u003c/li\u003e\n\u003cli\u003eThe emails are sent to employees during Japan\u0026rsquo;s tax filing and organizational change season, increasing the likelihood of the recipients opening the messages due to the expected volume of HR and financial communications.\u003c/li\u003e\n\u003cli\u003eThe emails contain malicious attachments, such as ZIP or RAR archives, or links leading to malicious files hosted on public file-sharing services like gofile[.]io or WeTransfer.\u003c/li\u003e\n\u003cli\u003eThe malicious files are named to resemble common HR, financial, or tax-related documents, such as \u0026ldquo;Salary Adjustment Notice\u0026rdquo; or \u0026ldquo;Notice regarding personnel changes and salary adjustments.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eWhen the recipient opens the malicious file, it drops ValleyRAT (detected as Win64/Valley by ESET products), a remote access trojan.\u003c/li\u003e\n\u003cli\u003eValleyRAT enables the attacker to take remote control of the compromised machine, harvest sensitive information, and monitor user activity.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence within the targeted environment, allowing for continued access and the potential for further malicious activities, such as data exfiltration or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this campaign can lead to a significant compromise of Japanese organizations, particularly manufacturers and businesses involved in finance, healthcare, education, gaming, government and cybersecurity. The deployment of ValleyRAT allows the attacker to gain remote access to compromised systems, potentially leading to the theft of sensitive financial data, intellectual property, and confidential employee information. This can result in financial losses, reputational damage, and legal repercussions for the affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect ValleyRAT Execution\u0026rdquo; Sigma rule to identify instances where ValleyRAT is executed on endpoints (Sigma rule).\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for subjects containing company names along with keywords related to tax, HR, and salary adjustments, and alert on unusual patterns (email logs).\u003c/li\u003e\n\u003cli\u003eBlock connections to known malicious file hosting services like gofile[.]io and WeTransfer at the network level, as these are used to deliver the malicious payloads (network_connection logs).\u003c/li\u003e\n\u003cli\u003eEducate employees to verify any requests related to salary changes, tax penalties, or personnel updates through separate channels (awareness training).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all email accounts to prevent unauthorized access (authentication logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T12:00:00Z","date_published":"2026-03-28T12:00:00Z","id":"/briefs/2026-03-silverfox-japan-tax-season/","summary":"The Silver Fox threat actor is conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses, exploiting the annual tax filing and organizational change season by sending emails containing malicious attachments that deploy ValleyRAT, leading to remote access, data theft, and persistence.","title":"Silver Fox Spearphishing Campaign Targeting Japanese Firms During Tax Season","url":"https://feed.craftedsignal.io/briefs/2026-03-silverfox-japan-tax-season/"},{"_cs_actors":["RagaSerpent"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["RagaSerpent","SideWinder","Tax Audit","Spearphishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe RagaSerpent cluster, sometimes referred to as SideWinder-Adjacent, is an active threat actor targeting multiple countries between 2025 and 2026. Their activities are characterized by a campaign centered around a \u0026ldquo;Tax Audit\u0026rdquo; theme. This suggests potential targeting of individuals or organizations involved in financial activities or government entities responsible for tax administration. While specific technical details are limited in this brief, the multi-country scope and the social engineering aspect of the \u0026ldquo;Tax Audit\u0026rdquo; theme indicate a sophisticated and potentially widespread operation. Defenders should be aware of potential phishing attempts or malicious documents leveraging this theme.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to limited information, a detailed attack chain cannot be fully constructed. However, assuming a typical phishing-based delivery mechanism, a possible attack chain might look like this:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker sends a spearphishing email to a target, posing as a tax authority.\u003c/li\u003e\n\u003cli\u003eDelivery: The email contains a malicious attachment (e.g., a Microsoft Office document or PDF) or a link to a malicious website.\u003c/li\u003e\n\u003cli\u003eExploitation: If the attachment is opened, it exploits a vulnerability (e.g., a macro or a CVE in the document reader) to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eInstallation: The attacker installs a backdoor or malware on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The malware establishes a connection with a command-and-control (C2) server to receive instructions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised machine to move laterally within the network, accessing other systems and resources.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker identifies and exfiltrates sensitive data, such as financial records or personal information.\u003c/li\u003e\n\u003cli\u003eFinal Objective: The ultimate goal could be data theft, financial gain, or espionage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RagaSerpent attacks leveraging a tax audit theme could lead to significant data breaches, financial losses, and reputational damage for targeted organizations. Individuals could experience identity theft and financial fraud. The multi-country scope suggests potentially widespread impact, affecting government agencies, financial institutions, and individuals across different regions. The specific damage will depend on the nature of the compromised data and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and tune the provided Sigma rule to detect suspicious process executions potentially related to malicious document exploits (\u003ccode\u003erules[0]\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs (Sysmon or equivalent) for better visibility into potential exploit attempts as outlined in the rule\u0026rsquo;s logsource (\u003ccode\u003erules[0].logsource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the generic network connection Sigma rule to identify potentially malicious outbound communication from unusual processes (\u003ccode\u003erules[1]\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-ragaserpent-tax-audit/","summary":"The RagaSerpent cluster, also known as SideWinder-Adjacent, is conducting targeted attacks across multiple countries between 2025 and 2026, associated with a 'Tax Audit' themed campaign.","title":"RagaSerpent 'Tax Audit' Campaign Targeting Multiple Countries","url":"https://feed.craftedsignal.io/briefs/2026-03-ragaserpent-tax-audit/"}],"language":"en","title":"CraftedSignal Threat Feed — Spearphishing","version":"https://jsonfeed.org/version/1.1"}