\nhistory<\/a> of finance-themed<\/a> spearphishing campaigns during seasonal business cycles.<\/p>\n
In the ongoing campaign, the group is taking advantage of Japan\u2019s annual cycle of tax filing, financial reporting, salary adjustments, and personnel changes. This pattern isn\u2019t new \u2013 similar activity was observed during the same period last year, indicating that Silver Fox deliberately aligns its operations with this season. The volume and urgency of legitimate internal communication around these topics is high this time of year, which is exactly what Silver Fox is counting on and what makes its campaigns effective.<\/p>\n
In this operation, Silver Fox sends tailored spearphishing emails crafted to look like legitimate HR or tax-related messages. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line. Examples of subjects observed in this campaign include:<\/p>\n
- \n
- \u300c\u4f1a\u793e\u540d <\/em>\u300d\u3010\u5f93\u696d\u54e1\u6301\u682a\u4f1a\u898f\u7d04\u6539\u6b63\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b\u3011<\/em>
(Translation: <Company Name> Notice of amendments to the ESOP terms and conditions])<\/em><\/li>\n- \u300c\u4f1a\u793e\u540d <\/em>\u300d\u3010\u5f93\u696d\u54e1\u6301\u682a\u4f1a\u898f\u7d04\u306e\u4e00\u90e8\u6539\u6b63\u306b\u3064\u3044\u3066\u3011<\/em>
(Translation: <Company Name> [Revisions to the ESOP Terms and Conditions])<\/em><\/li>\n- \u300c\u4f1a\u793e\u540d <\/em>\u300d\u3010\u4eba\u4e8b\u7570\u52d5\u30fb\u7d66\u4e0e\u6539\u5b9a\u306b\u3064\u3044\u3066\u3011<\/em>
(Translation: <Company Name> [Personnel Changes and Salary Adjustments])<\/em><\/li>\n- \u7a0e\u52d9\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u304a\u3088\u3073\u7f70\u91d1\u901a\u77e5
(Translation: Tax Compliance and Penalty Notice)<\/em><\/li>\n<\/ul>\nThe sender fields impersonate real employees and even CEOs at the targeted companies. Silver Fox is clearly doing some reconnaissance on each target before sending what aren\u2019t generic blasts. The attackers are picking names that the targets are likely to recognize and trust, which makes it more difficult for the recipients to distinguish the malicious messages from real internal notifications.<\/p>\n
The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents, such as:<\/p>\n
- \n
- \u3010\u7d66\u4e0e\u8abf\u6574\u306e\u304a\u77e5\u3089\u305b\u3011
(Translation: Salary Adjustment Notice)<\/em><\/li>\n- \u4eba\u4e8b\u7570\u52d5\u30fb\u7d66\u4e0e\u6539\u5b9a\u306b\u3064\u3044\u3066<\/em>
(Translation: Personnel Changes and Salary Adjustments)<\/em><\/li>\n- \u4eba\u4e8b\u7570\u52d5\u53ca\u3073\u7d66\u4e0e\u6539\u5b9a\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b<\/em>
(Translation: Notice regarding personnel changes and salary adjustments)<\/em><\/li>\n- \u3010\u5f93\u696d\u54e1\u6301\u682a\u4f1a\u898f\u7d04\u306e\u4e00\u90e8\u6539\u6b63\u306b\u3064\u3044\u3066\u3011<\/em>
(Translation: [Partial amendment to the Employee Stock Ownership Plan terms and conditions])<\/em><\/li>\n<\/ul>\nThe following are examples of observed emails and lures:<\/p>\n
![\"Figure_1_CN_SilverFox_spearphishing_2026-03-11\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/silver-fox\/figure-1-cn-silverfox-spearphishing-2026-03-11.png\" "\\"Figure")
Figure 1. Spearphishing email distributed on 2026-03-11<\/em><\/figcaption><\/figure>\n ![\"Figure_2_CN_SilverFox_spearphishing_2026-03-12\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/silver-fox\/figure-2-cn-silverfox-spearphishing-2026-03-12.png\" "\\"Figure")
Figure 2. Spearphishing email distributed on 2026-03-12<\/em><\/figcaption><\/figure>\n ![\"Figure_3_CN_SilverFox_tax-related_lure_webpage\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/silver-fox\/figure-3-cn-silverfox-tax-related-lure-webpage.png\" "\\"\\"")
Figure 3. Tax-related lure webpage instructing the target to download a malicious file<\/em><\/figcaption><\/figure>\n Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. ESET products detect this malware as Win64\/Valley. Once deployed, ValleyRAT enables the actor to take remote control of the compromised machine, harvest sensitive information, monitor user activity, and maintain persistence in the targeted environment. This can allow the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack.<\/p>\n
How to recognize the threat and protect yourself<\/h2>\n
While Silver Fox\u2019s emails may appear credible at the first glance, especially during Japan\u2019s busy tax and organizational change season, a closer look reveals hints rendering the emails suspicious. The following signs are the key to recognizing and stopping the attack:<\/p>\n
- \n
- If you receive an email about salary changes, tax penalties, or personnel updates, verify it through a separate channel (Teams, phone, or direct email lookup) before acting on it. This applies even if the message looks routine.<\/li>\n
- Even if the sender\u2019s name belongs (or seems to belong) to a colleague, make sure that the email address and the name match. If they don\u2019t or the address looks unfamiliar, treat the email as suspicious.<\/li>\n
- Ask yourself whether this communication follows your company\u2019s usual HR or Finance process.<\/li>\n
- Be cautious if the language feels overly formal, stiff, or mismatched with typical internal communications. Since the threat actor is not a native Japanese speaker, the emails may contain awkward phrasing and subtle giveaways.<\/li>\n
- Documents are unlikely to be shared through a publicly available file hosting services such as gofile[.]io or WeTransfer.<\/li>\n
- Pay attention to the attachment type. If it\u2019s an archive such as RAR or ZIP, look at what\u2019s actually inside before opening the files.<\/li>\n
- Install software updates when prompted.<\/li>\n
- Ensure your security software is running and up-to-date.<\/li>\n
- If something feels off about an email, forward it as an attachment to your IT or security team. Reporting is never a mistake \u2013 even if the email turns out to be legitimate.<\/li>\n<\/ul>\n
The following are illustrative examples of what to watch out for:<\/p>\n
![\"Figure_4_CN_SilverFox_spearphishing_2026-03-12_indicators\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/silver-fox\/figure-4-cn-silverfox-spearphishing-2026-03-12-indicators.png\" "\\"Figure")
Figure 4. Signs revealing that the email is not legitimate<\/em><\/figcaption><\/figure>\n ![\"Figure_5_CN_SilverFox_spearphishing_2026-03-11_indicators\"](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/03-26\/silver-fox\/figure-5-cn-silverfox-spearphishing-2026-03-11-indicators.png\" "\\"Figure")
Figure 5. Signs revealing that this email is not legitimate, either<\/em><\/figcaption><\/figure>\n IoCs<\/h2>\n
A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository<\/a>.<\/p>\n
- \u4eba\u4e8b\u7570\u52d5\u30fb\u7d66\u4e0e\u6539\u5b9a\u306b\u3064\u3044\u3066<\/em>
- \u300c\u4f1a\u793e\u540d <\/em>\u300d\u3010\u5f93\u696d\u54e1\u6301\u682a\u4f1a\u898f\u7d04\u306e\u4e00\u90e8\u6539\u6b63\u306b\u3064\u3044\u3066\u3011<\/em>