Threat Research

Since December 2025, multiple incidents in Japan have been linked to the exploitation of React2Shell (CVE-2025-55182), a remote code execution flaw affecting React and Next.js applications. While most attacks deployed coin miners, investigators identified a previously undocumented malware named ZnDoor....

LongNosedGoblin is a newly identified China-aligned APT group focused on cyberespionage against governmental institutions in Southeast Asia and Japan. Active since at least September 2023, the group leverages Windows Group Policy to deploy malware and move laterally within compromised networks, while using cloud services like OneDrive and Google Drive for command-and-control....

In mid-2025, researchers identified a sophisticated BRONZE BUTLER campaign that leveraged a zero-day vulnerability in Motex LANSCOPE Endpoint Manager to exfiltrate sensitive data....

In January 2025, Labs identified a series of Winos 4.0 attacks targeting users in Taiwan. By February, it became evident that the threat actor had transitioned to new malware families and broadened their operations....

A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....

Since April 2025, we've observed a surge in email phishing targeting Japanese speakers. These campaigns impersonate companies like Amazon, Apple, and Japan Airlines. Emails often appear as fake purchase notices or safety alerts with convincing phishing links. Early attacks included fake Amazon CAPTCHA pages to steal user credentials....

Gunra ransomware’s Linux variant significantly expands the group’s attack surface, reflecting its intention to move beyond its initial targets. This variant includes key features such as the ability to execute up to 100 encryption threads simultaneously and perform partial encryption....

Our team has observed a surge in large-scale phishing campaigns written in Japanese, primarily targeting organizations in Japan using a phishing kit known as CoGUI. These campaigns often impersonate well-known consumer and payment brands like Amazon, PayPay, and Rakuten. CoGUI is a stealthy phishing framework designed to evade detection, with Japan being its main focus....

A newly identified botnet called RustoBot is spreading through TOTOLINK routers using Rust, a programming language known for its speed and security. RustoBot exploits command injection vulnerabilities in the cstecgi.cgi script, including CVE-2022-26210 and CVE-2022-26187, to achieve remote code execution....

We've identified an ongoing campaign leveraging strategically aged domains in Traffic Direction System (TDS) activity. The final landing pages promote investment scams and fraudulent part-time or work-from-home opportunities. To evade detection, attackers register new domains and keep them dormant for at least a month before activation....