Silver Fox Threat Actor Targets Japanese Firms with Tax-Season Spearphishing Campaign
The Silver Fox threat actor is conducting a targeted spearphishing campaign against Japanese manufacturers and businesses, exploiting the country's tax filing and HR change season to deliver ValleyRAT.
The Silver Fox threat actor is actively targeting Japanese manufacturers and businesses with a sophisticated spearphishing campaign timed to coincide with Japan's annual tax filing and organizational change season. According to researchers at ESET, the campaign exploits the high volume of legitimate financial and HR-related communications that companies generate during this period, making malicious emails harder to distinguish from routine messages.
The attackers are sending tailored emails that impersonate real employees and even CEOs at targeted companies. The lures cover topics such as tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans (ESOPs). Examples of observed subject lines include "Tax Compliance and Penalty Notice" and "<Company Name> Personnel Changes and Salary Adjustments." The emails contain either malicious attachments or links that lead to the download of ValleyRAT, a remote access trojan that ESET detects as Win64/Valley.
ValleyRAT enables the attackers to take remote control of compromised machines, harvest sensitive information, monitor user activity, and maintain persistence within the targeted environment. Once deployed, the malware can allow the threat actor to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack. The malicious files are named to resemble common HR, financial, or tax-related documents, such as "Salary Adjustment Notice" and "Notice regarding personnel changes and salary adjustments."
Silver Fox has been active since at least 2023 and initially focused on Chinese-speaking targets before expanding into Southeast Asia, Japan, and potentially North America. The group has a well-documented history of finance-themed spearphishing campaigns during seasonal business cycles and has targeted a wide range of verticals, including finance, healthcare, education, gaming, government, and cybersecurity. The current campaign is not the first time Silver Fox has targeted Japan during this period—similar activity was observed during the same season last year.
The campaign underscores the importance of vigilance during periods of high legitimate communication volume. ESET recommends that employees verify any email about salary changes, tax penalties, or personnel updates through a separate channel, such as a phone call or direct message, before acting on it. Even if the sender's name appears to belong to a colleague, recipients should ensure that the email address matches the name and treat any unfamiliar addresses as suspicious.
Organizations in Japan should reinforce awareness around phishing attempts and ensure that employees report suspicious emails to security teams immediately. The use of ValleyRAT in this campaign highlights the persistent threat posed by established malware families that are continuously adapted for new targets and seasonal opportunities.