- Background
- Overview of the Observation
- Japanese Malspam Delivering ValleyRAT
- Malware Delivery Techniques
- Other Types of Japanese Malspam
- Countermeasures
- Conclusion
- Appendix
This post is also available in: 日本語
Background
As part of our efforts to track various threats targeting Japan, we continuously monitor and analyze suspicious emails with Japanese subject lines and body text. Between December 2025 and March 2026, we observed multiple types of Japanese Malspam targeting several organizations in Japan. Unlike spear-phishing emails, which are highly tailored to specific organizations or individuals, Malspam typically uses content to trick a wide range of recipients into opening attachments or links without hesitation.
This article introduces the Japanese Malspam trends observed during this period, with a particular focus on campaigns delivering ValleyRAT (also known as Winos 4.0), a malware family that continues to demonstrate various evolving techniques. We hope these insights will be helpful to Japanese organizations and reinforcing their cybersecurity defenses.
Overview of the Observation
The Japanese Malspam we observed included the following lures:
- Spoofed Microsoft Teams notification
- Spoofed successful bid notification
- Spoofed tax-related content
- Spoofed company executives’ messages
Among the Malspam we observed, over half of the cases were related to ValleyRAT. In the next section, we will focus on Malspam associated with ValleyRAT and share some representative examples.
Japanese Malspam Delivering ValleyRAT
During our observation period, Malspam campaigns delivering ValleyRAT frequently rotated their email lures and delivery mechanisms to evade detection.
While many threat actors tend to rely on established methods once adopted, emails associated with ValleyRAT stand out for varying not only their email lures, but also the underlying infrastructure such as the malicious links and overall delivery mechanisms.
Broadly speaking, ValleyRAT delivery methods can be classified into three types.
- Type 1: Link-Based Malspam (Abuse of Legitimate Websites)
- Type 2: Link-Based Malspam (Use of Malicious Websites)
- Type 3: Attachment-Based Malspam
Type 1: Link-Based Malspam (Abuse of Legitimate Websites)
Type 1 involves ValleyRAT being hosted on legitimate websites used by the attacker. We found four legitimate websites related to this campaign.
Abusing github[.]com
GitHub is an online platform for hosting and managing source code. The actors use the service to host malware and redirect users by clicking “書類をダウンロードする(translation: download document)” in the email body shown in Figure 1.
This email impersonates the National Tax Agency's electronic filing and payment system and prompts recipients to download “2025年分の税務署類 (確定申告書類)” (translation: Tax document for 2025 (final tax return document)).
Abusing myqcloud[.]com
This is an official domain of Tencent Cloud which is a cloud storage service. This service is also used by attackers. Several relevant emails have been observed as follows.
The first example email, impersonating a company representative, encourages the recipient to download and review the data report at the provided link as an urgent notice for internal coordination purposes.
The second email also pretends to be from a company representative, but it prompts recipients to download “解雇通知書” (translation: Notice of Dismissal, correctly read as “kaiko tsuuchisho”), which is accompanied by the incorrect reading “かいことうちしょ” (“kaiko touchisho”).
The third email is very similar to above. It urges recipients to download a file to confirm “details regarding our business planning.”
gofile[.]io abuse case Gofile is an online storage service.
The first example email abusing GoFile, falsely claims to be from the Human Resources Department. It states that recipient's excellent job performance and contributions have led to a salary revision and asks recipient to review the details in the file linked in the message.
The second email impersonates the National Tax Agency informing the refund of individual resident Tax. The refund flow is written in the email body, instructing recipients to fill in the necessary information for the procedure in the file available at the provided link.
limewire[.]com abuse case
LimeWire is a file-sharing platform likely mentioned above.
The first email abusing LimeWire poses as a company and urges recipients to confirm an invoice via the provided URL.
The second email pretends to be from a company representative. It includes a URL in the body, urging the recipient to confirm the details of a business planning.
Type 2: Link-Based Malspam (Use of Malicious Websites)
Type 2 features ValleyRAT being hosted on a malicious website, which prompts recipients to download it by posing as an organization or company representative.
yyqxjp[.]vip
The email in Figure 9 claims to be from the National Tax Agency and concerns a prior notice of a tax audit based on the National Tax General Rules Act. The email content incudes the details of this audit and instructs the recipient to download preparation materials by clicking “調査関係資料(PDF)ダウンロード”(translation: Download investigation-related document (PDF)), which redirects users to a website posing as the Japanese government.
freerockstargames[.]in
The email in Figure 10 is a dismissal notification sent by spoofed company representatives, prompting recipients to check the details from the URL, which leads to the download of a malicious file. The “解雇通知書” (translation: Notice of Dismissal) written in the message is accompanied by the incorrect reading “かいことうちしょ” (“kaiko touchisho”).
twitchtvgame[.]in
The email in Figure 11, posing as a company representative, informs recipient of the payment of individual performance bonuses and urges them to access the URL and download a file for more information.
xjvbn[.]com
This email also contains the same content as the previous one. However, unlike the previous example, this email is sent from impersonated human resources department.
Type 3: Attachment-Based Malspam
Type 3 utilizes email attachments that appear to be legitimate document to deliver ValleyRAT to recipients.
The email shown above, sent from spoofed customer services, urged recipients to open and confirm the attached "電子請求書発行のお知らせ"(translation: Notice of Electronic Invoice Issuance).
Objectives Behind the Use of Different Email Types
The previously mentioned three types of delivery method, appearing to serve a specific strategic purpose for the attackers.
Since Type 1 delivery method uses legitimate domains, attackers use it to bypass web filtering and hinder recipients from recognizing them as malicious.
Unlike Type 1 delivery method, Type 2 uses a malicious website prepared by the attacker for use in the Malspam campaign. The domain used in this are newly registered and often have little or no reputation. Therefore, attackers use this to target environments that restrict access to legitimate storage services such as those discussed above.
In the Type 3 delivery method, malware disguised as a legitimate document is attached directly to the email. This reduces the number of steps required for the user to open the file. Therefore, attackers use this method to increase the likelihood that users will inadvertently execute the malware without realizing its malicious nature.
While the objectives of these three methods vary, the emails showed consistent X-Mailer values, suggesting that the sender's mail clients or environments are highly similar.
The observed X-Mailer value included likely:
- Supmailer
- 46.0.0
- 46.0.3
- 47.0.0
- Two random strings followed by a number
- Example: Qywri Tojqirsy 1.0
Additionally, analysis of the “Env-From” field revealed that while some emails impersonated company representatives by name, the sender addresses themselves were not spoofed. Nearly all used free email addresses such as the following:
- hotmail[.]com
- gmail[.]com
- outlook[.]com
From our current findings, we cannot definitively determine whether these similarities and variations in delivery methods suggest separate attacker groups or a common platform.
Malware Delivery Techniques
Some of the observed Malspam used various techniques, which are detailed below.
Multi-Stage Redirects
In some cases, links embedded in the email body trigger a distinctive redirection flow. Specifically, the destination URL is encoded in the URL path, and when the site is accessed, the encoded string is decoded and used to redirect the user.
Here is an example of a URL which was embedded in the actual Malspam we received.
hxxps://kzg2b[.]com/mLzE0MDEyOS9kMjIzNjExZWVhOT/fAwZGJlNzIxMS8xNT/ng2Ni9kbXRyYWNrOmh0dHBz/eJTNBJTJGJTJGcX/fIucGFwcy5qcCUyRmpaQlZM[.]html
Accessing this URL initiates the following redirection chain, ultimately leading to the download of ValleyRAT.
[1]kzg2b[.]com [2]qr[.]paps[.]jp [3]nta-go[.]work [4]megaiptv[.]net(Downloads ValleyRAT)
Among the websites in the redirection sequence, qr.paps[.]jp is the only legitimate one, which is a URL shortening and QR code generation service, while the other URLs points to malicious websites.
The process below reconstructs the encoded destination URL(qr.paps[.]jp) embedded in the initial URL:
[1]Retrieve the URL path string. [2]Split the string using “/” as the delimiter, remove the first character of each segment, and concatenate the remaining characters. [3]Replace the first occurrence of “-” with “+” and the first occurrence of “_” with “/”. [4]If the resulting string length is not a multiple of 4, add “=” padding. [5]Base64-decode the string. [6]Extract the portion beginning with dmtrack: as the destination URL and redirect the user to it. [7]If the process fails, redirect the user to hxxp://www[.]cy-email[.]com.
The figure below shows the result of retrieving the HTTP status of qr.paps[.]jp/jZBVL. It indicates that this URL is configured to redirect to the next destination nta-go[.]work.
These multi-stage redirection chain is likely intended to evade detection mechanisms, such as email sandboxing and URL analysis.
ValleyRAT primarily consists of .exe and .dll components, but these are rarely distributed directly. Instead, they are typically delivered within other file formats, such as archive or disk image files.
- Executable file
- .exe
- .dll
- .msi
- Archive file
- .zip
- .rar
- Disk image file
- .iso
- .img
While these archive and disk image files may seem like standard formats for storing and distributing data. However, they are often abused to evade detection by concealing executable files, making users more likely to open and run them without suspicion.
Masquerading as a Legitimate Procedure
Many of the Malspam were related to taxes, and some impersonated the National Tax Agency. In these cases, not only the email body but also the redirection destinations and their web content were designed to appear legitimate.
The figure above shows a spoofed National Tax Agency Corporate Number Publication website hosted on ntagoji[.]com, which reuses the source code of the legitimate website, houjin-bangou.nta.go[.]jp. When a user visits this fake website, a pop-up window appears, prompts the user to download a file to confirm "きぎょうだいいちしはんき税制上の優遇措置" (translation: First-Quarter Tax Incentives for Companies). Clicking the download button on the left initiates the download of malware, while clicking the cancel button on the right redirects the user to the legitimate National Tax Agency website. This redirection behavior is likely intended to make the site appear more legitimate and reduce user suspicion.
Other Types of Japanese Malspam
In addition to the Malspam mentioned in previous sections, we observed several other samples that are unrelated to ValleyRAT and have different characteristics. The example shown below has unique email body, pretends to be a successful bid notification from the Cabinet Office.
In this email, numerous blank lines are inserted immediately after the Japanese body text, followed by unrelated German and English text at the bottom. This structure is likely an evasion technique employed by the attacker, who appears to understand spam filter behavior well and aims to exploit detection logic such as Bayesian filtering.
Countermeasures
Many of the Japanese Malspam that we observed bypassed standard spam filtering rules.
It is difficult to create filtering rules that completely block these emails. Organizations should therefore alert users to the possibility of receiving such emails and encourage them to exercise caution. In addition, they should obtain information on malware sources and communication destinations and block access to legitimate websites that are not required for business operations.
Furthermore, because disk image files—such as those discussed in the section4 on “Malware Distribution Techniques”—can be mounted natively in Windows 10 and later, disabling their default file associations is an effective measure if they are not required for business purposes. This is also an effective countermeasure against other types of malware emails.
Additionally, since ValleyRAT uses a proprietary protocol for socket-based communication on specific ports (such as 1234, 6666, and 8888), blocking and monitoring these ports are also effective counter measures.
Conclusion
In this article, we introduced Japanese Malspam that we observed from December 2025 to March 2026. Although we identified certain trends and differences in the Malspam we received, this was not sufficient to definitively determine the attackers’ attributes or platforms.
As a blue team, we reguraly monitor and analyze Japanese Malspam to catch early signs of new threats—such as Emotet, which caused significant damage in Japan—as early as possible. By steadily strengthening our countermeasures, we aim to respond quickly and keep risks to a minimum whenever new threats appear.
The information presented here represents only part of our findings, but we hope it will help organizations assess their current situation and consider appropriate countermeasures.
Appendix
| Subject | File | SHA256 |
|---|---|---|
| メッセージ概要: ボイスメールと未読メッセージがあります—詳細はTeamsでご確認ください—#REF-[Alphanumeric] | MicrosoftTeamsBusinessDC_2025.004.41033_Stable20671.exe | d79da8d1a65c6d93a08be02c8d347164129536c4398c9e07d92173de85e2a3e5 |
| Re:内閣府落札通知 | sdyrt.vbs | ea2385703e20bd38ba66cc9114951066f82e7693429e1f0c2be6c4e3ccd25749 |
| Re:内閣府落札通知 | Modere.exe | b4538b454d1f1569fc670149e3b364f51415ef65449cd1363a5464b292d83215 |
| 税務書類のご確認のお願い | 税務調査表.zip | 292f4f0397292510e7817f328b8fc69d8aa5e1f5dff00ca176961efed5942ed9 |
| 税務書類のご確認のお願い | 税務調査表.exe | f28937dfad91851338210021a0a015ddc1cd16c053115444e8c07ef4a6a31ff6 |
| 税務調査事前通知書 | 査察の詳細です.zip | 3f79fe91e67c5477b450e82cf51d21af15dbb96c5d663912647c8f3de147e0cd |
| 税務調査事前通知書 | 査察の詳細です.exe | 00e0e5821096b5bd36bbc2f4c872ed859fb99fdd95a7b4a65eade26fd2aa2022 |
| 税務調査事前通知書 | fusion.dll | 8597faea1e71e44803b503913e399006626b9f70b54815f20b779b39befa592b |
| データレポート.rar | 459e1dc3d09eb800e6367dc7833f38f7adbb9510ea70fa490a76d9b64bd1d9f6 | |
| データレポート.exe | facf78d474b66ed821288db41fa6ad8a7b6f30650eb12127cb3e9a3cc6146116 | |
| [Organization Name] | 解雇通知書(かいことうちしょ).zip | 4a1b74163098cb85dd91c7eea3d4133005664076529ec26138fce15c322bf926 |
| [Organization Name] | 解雇通知書(かいことうちしょ).exe | 6243e3e29e2178361437e59cca8c1f19d9ecf25b44ea31f7b2159871c317572a |
| [Organization Name]【人事異動・給与改定について】 | 【人事異動・給与改定について】.rar | b97e05b3367614b444893995ecda3ae5f64d8c9bdc5c375c493f12b26b5335d1 |
| [Organization Name]【人事異動・給与改定について】 | 【人事異動・給与改定について】.exe | facf78d474b66ed821288db41fa6ad8a7b6f30650eb12127cb3e9a3cc6146116 |
| [Organization Name]【人事異動・給与改定について】 | vulkan-1.dll | 204c9a0c12c06a129894aeec66f746185e81a5e8f5f5171d5ac462c998332cf5 |
| [Organization Name] | 解雇通知書かいことうちしょ.zip | 167657b8ca40097ba64145ad37603a6dc32591e72204993b05396d6aabe46f7f |
| [Organization Name] | クリックして閲覧.exe | 7b7eea76cb5309e373089984f77d914d7c5026e0019821c9ef5858c2a2ebafcb |
| [Organization Name]【人事異動のお知らせ】 | 【人事異動・給与改定について】.zip | 4bbb0a2ffafe6043860e41c12ba1c0e1dd9f1486cc6f1487d7053043233f8a72 |
| [Organization Name]【人事異動のお知らせ】 | 【人事異動・給与改定について】.exe | cdcb7126e18b31023afb3c3d42e48bd9bb108cad4f87490be317a3e40e70b736 |
| [Organization Name]【人事異動のお知らせ】 | sqlite3.dll | 6b51a17dca3211a3d72e7534977db4bb57c97940a22e8fa7e609a2350ca3c5b0 |
| [Organization Name]【人事異動のお知らせ】 | 【人事異動・給与改定について】.rar | de7aa97b5aff8cba74399b046e17e6aba7ee8ecc0e8aa4cf69ff61e036b85d59 |
| [Organization Name]【人事異動のお知らせ】 | 【人事異動・給与改定について】.exe | cdcb7126e18b31023afb3c3d42e48bd9bb108cad4f87490be317a3e40e70b736 |
| [Organization Name] 東京本社 | 請求書.zip | 3953debad2f0ee2eed1051297e6338de55dd664e6a49ceb3e37ec12391a0f0d1 |
| [Organization Name] 東京本社 | 請求書.zip | 56d3315bb14f4218fb19710dc9b88fec8da96c89e97de2d486dbb692e3b23241 |
| [Organization Name] 東京本社 | 請求書.exe | facf78d474b66ed821288db41fa6ad8a7b6f30650eb12127cb3e9a3cc6146116 |
| [Organization Name] 東京本社 | vulkan-1.dll | 204c9a0c12c06a129894aeec66f746185e81a5e8f5f5171d5ac462c998332cf5 |
| [Organization Name] 東京本社 | vulkan-1.dll | 65075f43d54ec33b0b2be5ce90b2b0baca140db6c9ba25e49d2ecf35d9af79d7 |
| [Executive’s Name][Organization Name] | 給与補助(きゅうよほじょ).zip | a14b222f2a78a453c96d8bafbec5986fedef379d72eccf998a298ac158aa1edb |
| [Executive’s Name][Organization Name] | クリックして閲覧.exe | d19d7ed601a19e2258060d66db845962df40d613eb5d9ee861df7c518bcc4983 |
| 電子請求書発行のお知らせ | setup.exe | 12862325902b7cea4aa28d15582fb2c62b57de3a53760f9abed655b089a4d76a |
| [Executive’s Name][Organization Name] | 給与補助(きゅうよほじょ).rar | 53615a73ed6f8cceceeec3944c788dee2a1818a7c572ece84efe7a1c49ba14c2 |
| [Executive’s Name][Organization Name] | クリックして閲覧.exe | facf78d474b66ed821288db41fa6ad8a7b6f30650eb12127cb3e9a3cc6146116 |
| [Executive’s Name][Organization Name] | vulkan-1.dll | 3c276b1cf7be42d1ea3cb64a7d54f36fc3c249d0b8ceeae1ea02b65c08adb392 |
| 【e-Tax】個人住民税還付のお知らせ(クレジットカード返金) | e-tax.zip | a9f19f4e02fe863fccd46d0be1ee73a4f17ffbc4126a8ba9bc63d6acf4ba68c9 |
| 【e-Tax】個人住民税還付のお知らせ(クレジットカード返金) | (国税電子申告・納税システム).exe | 0a1fd68a1fbab226ed926977f89df6621713aac36da7ee076a30db99d8be4c5c |
| 【e-Tax】個人住民税還付のお知らせ(クレジットカード返金) | Secur32.dll | c98ae9a9f437ac322a231da751ee94b0ce5d6d199330cdd6a31c324747d2760f |
| [Executive’s Name] | データレポート.rar | 459e1dc3d09eb800e6367dc7833f38f7adbb9510ea70fa490a76d9b64bd1d9f6 |
| [Executive’s Name] | データレポート.exe | facf78d474b66ed821288db41fa6ad8a7b6f30650eb12127cb3e9a3cc6146116 |
| [Executive’s Name] | vulkan-1.dll | fa22e94a98d19959c82580dc1cafcfc6ec762ed57dea9f48e3b7d0f9279a8cce |
| 【重要通知】賞与に関する新着情報があります | 解凍してご確認ください.zip | f543dcf4f178e464c7b4dc24b463272417d8ada2a7d3a832e177f37e64f10cbd |
| 【重要通知】賞与に関する新着情報があります | [String] - 20260327003703.exe | 02698279d30b2d95f571ba613c80980a84574f3b334eafe0c8d2c0839be90e89 |
| 【重要通知】賞与に関する新着情報があります | libcef.dll | 07ead27a736604b28876f4a0c940279983bd7076c2e1fed4039c4f0a81f3e0d5 |
