Silver Fox launched a targeted spearphishing campaign against Japanese businesses during tax filing and organizational change season, using localized lures tied to tax compliance violations, salary adjustments, personnel changes, employee stock plans, and invoice themes. Researchers said the actor conducted reconnaissance before sending emails, impersonated real employees and executives, and often inserted the victim company’s name into subject lines to make messages appear legitimate. The emails pushed recipients to open malicious attachments or download archives from public file-sharing services such as gofile[.]io and WeTransfer, with filenames crafted to resemble routine HR, finance, and tax documents.
The campaign delivered ValleyRAT (ESET detection: Win64/Valley), a remote access trojan capable of remote control, persistence, information theft, user monitoring, and potential lateral movement. Separate analysis tied one Japanese-language Rakuten invoice lure to a DLL sideloading chain abusing Dell MaxxAudio, after which the malware beaconed to a Hong Kong-based command-and-control server over port 886; investigators also noted configuration overlaps with Gh0st RAT defaults and fabricated WHOIS data linked to a Chinese registrant email. The activity follows similar seasonal operations seen the previous year and reflects Silver Fox’s broader expansion from earlier Chinese-speaking targets into Japan and other regions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A Japanese-language phishing lure themed as a Rakuten invoice was used to deliver ValleyRAT. The infection chain used DLL sideloading via Dell MaxxAudio, and the malware beaconed to a Hong Kong command-and-control server over port 886.
WeLiveSecurity reported that Silver Fox was conducting a targeted spearphishing campaign against Japanese organizations during Japan’s March 2026 tax filing and organizational change period. The campaign used localized tax- and HR-themed lures, impersonation of real employees and executives, and delivered ValleyRAT.
Examples of Silver Fox spearphishing emails targeting Japanese organizations were observed being distributed on March 11 and March 12, 2026. The messages used believable finance and HR themes and attempted to lure recipients into opening malicious attachments or downloading files from public file-sharing services.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
infosec.pub
Open sourceblog.knowbe4.com
Open sourcecybersecuritynews.com
Open sourcewelivesecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.