{
	"id": "7fab06b9-56e7-4698-b86e-68467e37bc97",
	"created_at": "2026-04-06T00:19:02.933604Z",
	"updated_at": "2026-04-10T03:30:11.97208Z",
	"deleted_at": null,
	"sha1_hash": "6a957d5d7bf952a6fc6ed9ff6b6d6370b4c85d2d",
	"title": "Emdivi and the Rise of Targeted Attacks in Japan - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 620229,
	"plain_text": "Emdivi and the Rise of Targeted Attacks in Japan - JPCERT/CC\r\nEyes\r\nBy JPCERT/CC\r\nPublished: 2015-11-05 · Archived: 2026-04-05 23:12:01 UTC\r\nNovember 6, 2015\r\nReport\r\nYou may well have heard of the May cyber attack in Japan against the Japan Pension Service – a high-profile case\r\nseen in the first half of this year, where 1.25 million cases of personal data was exposed. According to the Japan\r\nPension Service, the data leaked included names and ID numbers, and for some cases, dates of birth and home\r\naddresses.\r\nThe official reports(1) say that the massive leak was caused by attackers hacking Japan Pension Service staff\r\ncomputers through a malicious email attachment, which was disguised as a legitimate document, but in fact was a\r\nmalware. According to other various sources, the malware used is said to be “Emdivi.” This classic ploy, or\r\ntargeted attack, has been around for years – however, Japan is recently experiencing a rise in this attack.\r\nAccording to the National Police Agency, the number of targeted email attacks they have recognized count up to\r\n492 cases in 2013, 1,723 in 2014 and 1,472 in the first half of 2015 alone.\r\nFigure 1: Number of Targeted Attacks Recognized by the National Police Agency [Click to enlarge image]\r\nSource: Cyberspace Threat Landscape in the first half of 2015\r\nhttps://www.npa.go.jp/kanbou/cybersecurity/H27_kami_jousei.pdf (Japanese only)\r\nNote: The title/figure have been translated by JPCERT/CC\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 1 of 6\n\nEmdivi is notoriously used in these targeted attacks, and what is distinct is that it specifically focuses on Japanese\r\ntargets. The Japan Pension Service indeed drew nationwide attention, but Emdivi has victimized several other\r\ngovernment and private organizations. This attack campaign, specifically targeting Japan, is also known as\r\n“CloudyOmega” named by Symantec, or “Blue Termite” by Kaspersky.\r\nFollowing this trend, JPCERT/CC newly added a “targeted attack” category in its Incident Handling Report (April\r\n– June 2015), to count the number of targeted attack incidents reported to JPCERT/CC.\r\nFigure 2: Category of Incidents Reported to JPCERT/CC (April – June 2015) [Click to enlarge image]\r\nSource: JPCERT/CC\r\nAlthough targeted attack accounts for a mere 1.4%, the significance and impact of the attack has forced to take as\r\nmuch as half the resource of our Incident Response Group, according to the Group’s Manager. During the quarter,\r\nJPCERT/CC notified 66 organizations on the possibility of being victimized by targeted attacks, of which 44 were\r\nrelated to Emdivi. Based on the reports received, JPCERT/CC investigated the malware and attack infrastructures\r\n(C\u0026C servers, etc.), and also developed a tool for visualizing the relation of Indicators of Compromise (IOCs) for\r\nfurther analysis. The visualization is shown in Figure 3.\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 2 of 6\n\nFigure 3: Visualization of the Relation of IOCs [Click to enlarge image]\r\nSource: JPCERT/CC\r\nThis tool aims to sort out various information relating to targeted attacks, and to give an overall picture of what is\r\ngoing on. While various campaigns and attack groups have been observed by security related organizations, the\r\nsame campaign may have different names (as mentioned above), or different campaigns may have similar attack\r\nmethods. This could cause confusion when you want to find out where a certain piece of indicator information\r\nwas observed. This tool was developed to resolve this confusion. By registering the IOCs of respective attack\r\ncampaigns and incidents, and also the relation of the IOCs, it is designed to visualize the big picture of the attack.\r\nBased on these analyses, JPCERT/CC engages in sharing information with organizations that may potentially\r\nbecome the next target, as well as notifying organizations that are presumed to be victimized already. As Emdivi is\r\nalso known for cleverly hiding itself, there is a high possibility that still several organizations are unaware of the\r\nsituation, even if they are already infected. JPCERT/CC will continue to make every effort to address such\r\nsituations in cooperation with other relevant parties.\r\nIn the next blog posts, our Analysis Center will introduce technical knowledge on JPCERT/CC’s tools, developed\r\nto detect malware in targeted attacks as well as to analyze Emdivi. See you again there!\r\n- Keishi Kubo and Shiori Kubo\r\nReference\r\n(1) Official Reports:\r\n”Report on Investigation Results” published by Japan Pension Service (Japanese only)\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 3 of 6\n\n”Investigation Results of the Cause related to Japan Pension Service’s Personal Data Leak\r\nIncident” published by NISC (National center of Incident readiness and Strategy for\r\nCybersecurity) (Japanese only)\r\n”Verification Report – by the Verification Committee for Japan Pension Service’s Data Leak\r\nIncident through Unauthorized Access” published by the Ministry of Health, Labour and Welfare\r\n(Japanese only)\r\nNote: The titles of the reports have been translated by JPCERT/CC\r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 4 of 6\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 5 of 6\n\nSource: https://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nhttps://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2015/11/emdivi-and-the-rise-of-targeted-attacks-in-japan.html"
	],
	"report_names": [
		"emdivi-and-the-rise-of-targeted-attacks-in-japan.html"
	],
	"threat_actors": [
		{
			"id": "c92de6de-9538-43e5-9190-9da092194884",
			"created_at": "2022-10-25T16:07:23.411024Z",
			"updated_at": "2026-04-10T02:00:04.587683Z",
			"deleted_at": null,
			"main_name": "Blue Termite",
			"aliases": [
				"Blue Termite",
				"Cloudy Omega"
			],
			"source_name": "ETDA:Blue Termite",
			"tools": [
				"Emdivi",
				"Newsripper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "48782737-377b-47b4-aff0-87424208a643",
			"created_at": "2023-01-06T13:46:38.569144Z",
			"updated_at": "2026-04-10T02:00:03.02685Z",
			"deleted_at": null,
			"main_name": "Blue Termite",
			"aliases": [
				"Cloudy Omega",
				"Emdivi"
			],
			"source_name": "MISPGALAXY:Blue Termite",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434742,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a957d5d7bf952a6fc6ed9ff6b6d6370b4c85d2d.pdf",
		"text": "https://archive.orkl.eu/6a957d5d7bf952a6fc6ed9ff6b6d6370b4c85d2d.txt",
		"img": "https://archive.orkl.eu/6a957d5d7bf952a6fc6ed9ff6b6d6370b4c85d2d.jpg"
	}
}