{ "id": "823f7ca6-1b85-4cd4-bf39-da5a2e190dcb", "created_at": "2026-04-06T00:06:59.552104Z", "updated_at": "2026-04-10T13:12:05.332595Z", "deleted_at": null, "sha1_hash": "97ca811c742442d300cb2be5beab022591e13210", "title": "Wiper malware targeting Japanese PCs discovered ahead of Tokyo Olympics opening", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 916538, "plain_text": "Wiper malware targeting Japanese PCs discovered ahead of Tokyo\r\nOlympics opening\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-13 · Archived: 2026-04-05 20:13:28 UTC\r\nA Japanese security firm said it discovered an Olympics-themed malware sample that contains functionality to\r\nwipe files on infected systems and appears to be targeted at Japanese PCs.\r\nThe wiper's discovery, on Wednesday, came two days ahead of the opening ceremony for the 2021 Tokyo\r\nOlympics, scheduled to take place this Friday.\r\nDiscovered and analyzed by Japanese security firm Mitsui Bussan Secure Directions (MBSD), the wiper doesn't\r\njust delete all of a computer's data, and instead searchers only for certain file types located in the user's personal\r\nWindows folder, located at \"C:/Users/\u003cusername\u003e/\".\r\nMicrosoft Office files are targeted for deletion, but also TXT, LOG, and CSV files, which can sometimes store\r\nlogs, databases, or password information.\r\nIn addition, the wiper also targets files created with the Ichitaro Japanese word processor (emboldened below),\r\nwhich has led the MBSD team to believe that the wiper was specifically created to target computers in Japan—\r\nwhere the Ichitaro app is typically installed.\r\nTargeted extensions:\r\nDOTM, DOTX, PDF, CSV, XLS, XLSX, XLSM, PPT, PPTX, PPTM, JTDC, JTTC, JTD, JTT, TXT, EXE,\r\nLOG\r\nhttps://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nPage 1 of 5\n\nOther features found in the wiper also include a raft of anti-analysis and anti-VM detection techniques to prevent\r\nthe malware from being easily analyzed and tested and the ability for the malware to delete itself once the wiping\r\noperation has finished.\r\nUsing adult traffic as a disguise\r\nHowever, the most interesting feature is that the wiper also uses the cURL app to access pages on the XVideos\r\nadult video portal while the wiping behavior is taking place.\r\nhttps://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nPage 2 of 5\n\nThe MBSD team believes this behavior was added in an attempt to trick forensic investigators that the wiping\r\nbehavior took place because the user got infected while accessing porn sites.\r\nHowever, the MBSD team said the wiper was found in a Windows EXE file that was configured to look like a\r\nPDF file named: [Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the\r\nTokyo Olympics.exe\r\n\"Since this malware is disguised using a PDF icon and only targets data under the Users folder, it is believed that\r\nthe malware is intended to infect users who do not have administrator privileges,\" MBSD researchers Takashi\r\nYoshikawa and Kei Sugawara wrote yesterday.\r\nFor now, only one copy of this malware sample was discovered, uploaded on VirusTotal on Tuesday, July 20. [A\r\nsecond sample was discovered after this article went live.]\r\nFBI warns about possible cyberattacks aimed at the Olympics\r\nThe wiper's discovery came a day after the US Federal Bureau of Investigation had sent out a private industry alert\r\n[PDF] to US companies about the possibility that threat actors might target the Tokyo Olympics this year.\r\nCyberattacks carried out by Russia's military hacking groups have taken place during the last two Olympic\r\nGames.\r\nhttps://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nPage 3 of 5\n\nAfter Russian athletes were banned from participating at the Rio 2016 Summer Olympics under the Russian flags\r\nin light of a state-sponsored doping scandal, the APT28 (Fancy Bear) group breached the World Anti-Doping\r\nAgency (WADA) in August 2016 and later leaked files online.\r\nAfter the ban was extended for the PyeongChang 2018 Winter Olympics, Russian hackers deployed the Olympic\r\nDestroyer wiper during the games' opening ceremony in an attempt to cripple the organizers' internal network.\r\nThe ban on Russian athletes competing under the Russian flag is still in place for the Tokyo Olympics.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nPage 4 of 5\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nhttps://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/" ], "report_names": [ "wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97ca811c742442d300cb2be5beab022591e13210.pdf", "text": "https://archive.orkl.eu/97ca811c742442d300cb2be5beab022591e13210.txt", "img": "https://archive.orkl.eu/97ca811c742442d300cb2be5beab022591e13210.jpg" } }