{ "id": "71ec4e72-0f26-4feb-be47-35c0d438b6a3", "created_at": "2026-04-06T00:10:31.436993Z", "updated_at": "2026-04-10T03:37:26.65118Z", "deleted_at": null, "sha1_hash": "60cfc71512bb5626fc79ab389a6fc3ffcfe467bb", "title": "URLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1275663, "plain_text": "URLZone top malware in Japan, while Emotet and LINE Phishing\r\nround out the landscape | Proofpoint US\r\nBy June 19, 2019 Proofpoint Threat Insight Team\r\nPublished: 2019-06-19 · Archived: 2026-04-05 17:28:31 UTC\r\nOverview\r\nIn many ways, the threat landscape in Japan resembles global trends, with the regionalization and widespread\r\ndistribution of Emotet, and the steady increase in campaigns that utilize sophisticated social engineering\r\ntechniques. However, while Emotet dominated malicious message volumes in many regions worldwide,\r\nURLZone, which primarily appears in Japan, remains the top email threat by volume in the region.\r\nURLZone is currently loading the Ursnif banking Trojan configured with web injects for Japanese banks, making\r\nUrsnif a top payload in Japan as well. In the past, we have observed the long-running URLZone banker [1]\r\nloading Vawtrak and other banking Trojans and continue to monitor the distribution of both URLZone and Emotet\r\nas the latter further cements its dominance in the global landscape. It is worth noting that, while Emotet appears to\r\nbe in something of a hiatus since the end of May, URLZone/Ursnif campaigns have continued, paralleling Ursnif\r\nactivity in other geographies.\r\nCampaigns\r\nSince the beginning of 2019, numerous threat actors tracked by Proofpoint researchers conducted dozens of high-volume campaigns involving hundreds of thousands of messages that specifically geo-targeted Japan. These\r\ncampaigns affected thousands of Japanese organizations, delivering banking Trojans, phishing attacks, impostor\r\nattacks, and spam at scale.\r\nIn particular, these campaigns included emails delivering the URLZone banking Trojan and engaging in LINE\r\ncredential phishing. Many of these threats target Japan specifically; however, the region is also frequently\r\nincluded in global or multinational campaigns. These campaigns are typically sent by financially motivated\r\ncybercriminals.\r\nBelow is a brief overview of the malware payloads we frequently observe in campaigns affecting Japanese\r\norganizations.\r\nURLZone and Ursnif\r\nURLZone, also known as Bebloh or Shiotob, is a banking Trojan that first appeared in 2009. This is a well-established banker that we continue to observe regularly in Japanese geo-targeted campaigns a decade after its\r\nintroduction. However, at this point, it appears that a single, high-volume actor remains the only distributor of\r\nURLZone.\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 1 of 11\n\nProofpoint researchers have observed email messages containing malicious Microsoft Excel documents with\r\nmacros that, when enabled, install URLZone (Figure 1). In these campaigns, URLZone appears to be used as an\r\ninitial payload, which then installs Ursnif.\r\nFigure 1: Example Microsoft Excel spreadsheet emailed to a Japanese recipient containing macros that, once\r\nenabled, install URLZone\r\nMany of these campaigns reference invoices or payments. One recent campaign appeared to come from multiple\r\nrandom sending addresses with subjects such as :\r\n\"FW: 請求書を送信致します。\" (\"We will send you an invoice\")\r\n\"Re: 請求書の送付\" (\"Send invoice\")\r\n\"Re: 請求書送付のお願い\" (\"Request for billing\")\r\n\"契約書雛形のご送付\" (\"Sending the contract form\")\r\n\"ご案内[お支払い期限:06月18日]\" (\"Information [Payment Deadline: Jun. 18]\")\r\n\"請求書の件です。\" (\"Invoice\")\r\n\"請求書送付\" (\"Invoicing\")\r\nFigure 2 shows an example email from this campaign.\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 2 of 11\n\nFigure 2: Sample email delivering URLZone/Ursnif on June 17, 2019\r\nMost of these campaigns appear to originate with a single actor who operates primarily in Japan and Italy. The\r\nactor frequently employs steganography [2] - embedding malicious code in the “least significant bits” of color\r\ndata in image files - as part of their geo-targeting. The macros also use multiple layers of obfuscation and various\r\nlocale and language checks to ensure the victim machine is in Japan before downloading and decoding the initial\r\npayload. Examples of recent language and locale checks include:\r\nExcel: \"Application.International(xlCountrySetting)\" begins with \"8\" (international Dialling Code for\r\nJapan is 81)\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 3 of 11\n\nPowerShell error for non-existent command contains \"用語 \" (\"The term\" in Japanese)\r\nPowerShell cmdlet: 'Get-date' (needs to contain \"年\" - \"Year\" in Japanese)\r\nPowerShell cmdlet: 'Get-Culture.\"LCID\"' needs to contain \"04\" (Japanese LCID is \"1041\")\r\nOnce URLZone determines the host environment is suitable, URLZone downloads Ursnif, which begins stealing\r\ninformation and operating as a more “typical” banker. [3]\r\nProofpoint researchers have tracked Ursnif in Japan-focused campaigns since at least March 2017. While the actor\r\nwe refer to as TA544 is responsible for much of the recent Ursnif volume in Japan via initial URLZone infections,\r\nwe have observed other actors distributing Ursnif variants directly. At this point, Ursnif is the most common\r\ncommodity banker, both worldwide and in Japan.\r\nEmotet\r\nEmotet is a robust global botnet that loads third-party malware and its own modules used for spamming,\r\ncredential stealing, network spreading, and email harvesting.\r\nOn April 12, 15, and 16, an actor tracked by Proofpoint threat researchers as TA542 [4] launched high-volume\r\ncampaigns impacting Japan (among other countries) and targeting a wide range of industries. A large percentage\r\nof the messages in these campaigns were sent to organizations in Japan, which was noteworthy because Japan was\r\nnot one of the core geographies consistently targeted by Emotet. However, the actors behind Emotet are adept at\r\nlocalization and have been expanding their activities into new regions regularly. Since the end of May, Emotet\r\ncampaigns have largely paused; we will continue to monitor for new activity in Japan and elsewhere.\r\nFigure 3 shows a typical message with an attached malicious Microsoft Word document. These documents\r\ncontained macros that, when enabled, installed an instance of Emotet.\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 4 of 11\n\nFigure 3: Example email sent to a Japanese recipient with an attached document with macros that, once enabled,\r\ninstall Emotet\r\nTA505 and FlawedAmmyy\r\nIn February of 2019, Proofpoint researchers observed new Japan-focused campaigns from TA505 [5], a threat\r\nactor that recently has been focused on China, South Korea, Latin America, and the Middle East, distributing the\r\nFlawedAmmyy Remote Access Trojan (RAT) [6].\r\nFlawedAmmyy is based on the leaked source code for Version 3 of the Ammyy Admin remote desktop software, a\r\nshareware utility used for IT support purposes. As such, FlawedAmmyy contains the functionality of the leaked\r\nversion, including:\r\nRemote Desktop control\r\nFile system manager\r\nProxy support\r\nAudio Chat\r\nFlawedAmmyy is distributed via emails with document attachments. These attachments are either Microsoft Excel\r\n(.xls) or Word (.doc) attachments with macros that, if enabled, download FlawedAmmyy (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 5 of 11\n\nFigure 4: FlawedAmmy RAT being distributed using Microsoft Office Attachments.\r\nWhile the volume of these campaigns was only in the thousands of messages, TA505 has been particularly\r\nfocused on Asia and the Middle East recently; it is noteworthy when this prolific actor begins targeting a new\r\nregion.\r\nHuman Centric Threats\r\nWhile a variety of emails distributing malware demonstrate examples of targeting and payloads unique to Japan,\r\ninternationally ubiquitous phishing attacks, business email compromise (BEC), and other forms of imposter\r\nattacks remain ongoing threats. In particular, we regularly observe:\r\nCredential Phishing \r\nThis is the most common type of phishing observed by Proofpoint researchers. These emails target a victim’s\r\nlogin credentials such as usernames and passwords for a range of sites and services. These campaigns are usually\r\nhigh-volume emails with linked or embedded spoofs of login pages for reputable entities including banks,\r\nuniversities, electronic signature services, and social media and file sharing platforms. Figure 5 shows an example\r\nof a phishing landing page targeting banking customers in Japan, attempting to steal a variety of personal data.\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 6 of 11\n\nFigure 5: Credential Phishing for a Japan Post Bank customer (Source:\r\nhttps://www.antiphishing.jp/news/alert/jpbank_japanpost_20190304.html)\r\nOne notable type of credential phishing we have observed targets users of the LINE service. LINE is one of the\r\nmost popular messaging apps in Japan, Thailand, and Taiwan, with approximately 165 million users across those\r\ncountries. LINE is similar to Whatsapp, Facebook Messenger, or WeChat in China and has roughly 78 million\r\nmonthly active users in Japan.\r\nProofpoint researchers have been observing emails messages with LINE credential phishing links targeting\r\norganizations in Japan (Figure 6). For example, these messages used subjects such as \"[LINE]安全認証\" which\r\ntranslates to \"[LINE] Safety certification\".\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 7 of 11\n\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 8 of 11\n\nFigure 6. An example phishing lure on the LINE app in Japan. (Source: Cyamax.com)\r\nWhile this particular type of human factor compromise is fairly simple in its implementation - a standard\r\nphishing-type of attack which uses the stolen branding of a recognizable legitimate commercial entity - the\r\npervasiveness of LINE in Japan makes this type of phishing notable. Moreover, because many users repeat\r\ncredentials among services, stealing credentials from LINE can net threat actors credentials for many other apps\r\nand platforms.\r\nImpostor Threats\r\nImpostor threats include malicious emails with the intent of attempting to impersonate a person, commercial\r\nentity, or respected brand, such as a bank or an internet service provider. This type of imposter activity could be\r\nused for financial fraud, including business email compromise (BEC), in conjunction with other social\r\nengineering mechanisms to achieve their desired result, whether delivery of malware, credential phishing, or\r\nfurther network compromise.\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 9 of 11\n\nFigure 7: An example of a threat actor engaging in business email compromise (BEC) with a Japanese target.\r\nBEC is a type of known imposter activity relying on social engineering without any links or attachments leading to\r\nmalware or phishing kits. (Source: https://www.ipa.go.jp/security/announce/201808-bec.html)\r\nWhile BEC remains fairly rare in Japan when compared with other nations, due to the uniqueness and difficulty of\r\ninteracting in the Japanese language for non-native speakers and thus presenting difficulty for constructing\r\neffective lures, this type of human factor-oriented attack is increasing in popularity worldwide.\r\nConclusion\r\nIn 2019, threats specific to Japanese organizations and business interests, whether abusing Japanese brands or geo-targeted malware and credential phishing campaigns, mean that defenders at companies within Japan must be\r\ncognizant of highly targeted attacks as well as broad-based international attacks.\r\nUrsnif and the Emotet botnet are the most prevalent malware threats affecting Japan, creating palpable risks for\r\norganizations and individuals by utilizing compelling lures and sophisticated social engineering mechanisms.\r\nWhile Japan-targeted threats are not new, URLZone in particular, with its unique application by a single prolific\r\nactor in the region, sets Japan apart from other geographies.  The Japanese language also creates unique\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 10 of 11\n\nchallenges for non-native speakers in crafting effective social engineering approaches, but high volumes of Ursnif\r\nand Emotet suggest that financially motivated actors may have “cracked the code,” creating emerging risks for\r\ndefenders, organizations, and consumers in the region. As always, a combination of layered defenses and end user\r\neducation is critical to protecting data, intellectual property, and critical infrastructure in the face of increasing\r\nattacks targeting the region.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan\r\n[2] https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/\r\n[3] https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features\r\n[4] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\n[5] https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\n[6] https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nSource: https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nhttps://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0" ], "report_names": [ "urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434231, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60cfc71512bb5626fc79ab389a6fc3ffcfe467bb.pdf", "text": "https://archive.orkl.eu/60cfc71512bb5626fc79ab389a6fc3ffcfe467bb.txt", "img": "https://archive.orkl.eu/60cfc71512bb5626fc79ab389a6fc3ffcfe467bb.jpg" } }