Japanese organizations experienced a significant escalation in sophisticated cyber-espionage campaigns throughout fiscal year 2024, according to the latest analysis by Macnica’s Security Research Center.
The comprehensive report, covering incidents observed from April 2024 to March 2025, reveals a sharp increase in targeted attacks orchestrated by North Korean threat groups, using advanced malware and exploiting critical vulnerabilities in VPN solutions such as Ivanti and Fortinet, with the broader objective of stealing sensitive corporate and personal data.
APT Activity Intensifies
The analysis highlights a noteworthy surge in North Korean advanced persistent threat (APT) activity targeting Japanese firms, especially those in the technology and financial sectors.
In particular, threat actors deployed malware families including BeaverTail and InvisibleFerret against software developers, leveraging their privileged access to broader organizational networks.
The campaigns were designed to exfiltrate confidential intellectual property, policy documents, and proprietary manufacturing data.
Additionally, the report notes a continuation of attacks using the RokRAT backdoor, which facilitates the covert transfer of stolen information to legitimate cloud storage providers, making detection even more challenging.
Attacks targeting the financial sector were not limited to espionage alone. The report cites historical incidents involving the SWIFT international remittance systems at financial institutions, referencing a major operation around 2016, and highlights a recent uptick in incursions aimed at cryptocurrency-related developers.
These attacks often focus on compromising wallet infrastructure and exchange access, enabling attackers to siphon off digital assets directly and discreetly.
In addition, new waves of spear phishing and social engineering were observed as primary initial access vectors.
While attacks via phishing emails remain prominent, there is a growing trend toward using professional platforms such as LinkedIn for delivering malicious payloads and luring targets into compromise.
For the second consecutive year, Macnica identified multiple cases of malware infections spread via USB drives often with the use of PlugX malware, attributed to the TELEBOYi APT group and the Mustang Panda actor, who employ USB propagation to move laterally within air-gapped networks.
Another technical innovation identified this year was the use of WinDivert, a packet capture and injection tool, to subvert endpoint security mechanisms.
Attackers utilized WinDivert to disrupt communications between compromised endpoints and security servers, significantly delaying detection and incident response.
In several cases, attackers were able to maintain undetected persistence during the system and network reconnaissance phase of so-called “Living off the Land” (LotL) attacks at overseas manufacturing sites, exploiting VPN device vulnerabilities primarily in Ivanti and Fortinet products to infiltrate critical environments.
Zero-Day Exploits
The vulnerability landscape continued to be a focal point of threat actor activity. In early 2025, Macnica analysts reported zero-day attacks hitting Ivanti VPN devices, echoing a similar wave from the previous year.
The fiscal year concluded with a spike in spear phishing campaigns, including the distribution of the MirrorFace malware (via ANEL), signaling sustained interest in stealthy, multi-stage intrusions.
Notably, several infections were detected where the initial intrusion vector remained unclear, underscoring the increasing complexity of modern, multifaceted attacks.
Across targeted organizations, manufacturing, technology, and financial services remained the most frequently targeted sectors, consistent with attack pattern distribution observed in prior years.
While USB-based attacks and email spear phishing dominated, the blending of old and new tactics including novel social engineering via professional networks and the exploitation of remote access infrastructure signals a maturing adversary ecosystem leveraging diverse and evolving attack pathways.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
