Japan Cyber Threat Report – March 2026 Summary | Ransomware, Phishing & Data Breaches (Weeks 1–3)

 Overview of Cyber Attacks in Japan (March 2026)

Ransomware incidents targeting Japanese organizations remained active but limited, with three new claims or public disclosures this week. Notable uniqe trends were increase in Clickfix Campaigns by over 500%. Interesting trends in timing with Tax Season in Japan observed rise in Japan elTax fraud campaigns. The gentlemen continued its historical pattern of hitting Japanese-listed entities; no entirely new ransomware groups unique to Japan appeared. Sectors affected: services/public, publishing, and industrial components. Confirmed new victims (DLS + Japanese security reporting):

Dark Web Activity Targeting Japanese Companies

In the period of March 16 – March 22, 2026, darkweb forums including BreachForums and specialized Chinese-speaking markets (DeepMix) showed high activity regarding Japanese corporate data.

Top Threat Actors: ShinyHunters, Everest, and specialized IABs (Initial Access Brokers) focused on the APAC region.

• March 17: A database containing 1.2 million records of a Japanese e-commerce platform was listed for sale on DeepMix. Data includes emails, hashed passwords, and shipping addresses.

• March 19: User jrintel on a prominent forum leaked internal documents titled "Project Sakura - Logistics 2026," allegedly belonging to a major Japanese freight forwarding company.

• March 21: Sale of 800,000 sensitive records from a hospitality group (Wynn Resorts Japan) was confirmed by the group ShinyHunters, with a ransom demand of $65M reported in underground channels.

Ransomware Attacks in Japan (Latest Trends)

Ransomware incidents targeting Japanese organizations remained active but limited, with three new claims or public disclosures this week. Thegentlemen continued its historical pattern of hitting Japanese-listed entities; no entirely new ransomware groups unique to Japan appeared. Sectors affected: services/public, publishing, and industrial components. Confirmed new victims (DLS + Japanese security reporting):

Sector Focus: Manufacturing remains the #1 target (approx. 18.2% of all cases).

• March 16: Chase Asia (public company, listed under Japan victims) claimed by Thegentlemen group; no exfiltration volume disclosed.

• March 17–19: 株式会社メディカ出版 (Medica Publishing Co., Ltd., publishing sector) hit by unnamed ransomware; personal information leaked and order/shipping operations halted.

• March 18: 日本スウェージロックFST (Japan Swagelok FST, industrial/manufacturing) ransomware victim; operational disruption reported, shipping later resumed.

• March 20: Nafco (Retail/Fish Industry) was added to the Akira ransomware leak site.

IAB - Japan Corporate Initial Access Broker Sales

• March 16: Live "VPN SMTP Combo" access sales in Japan was detected

March 19: "Admin Rights" for a Japanese municipal government's web portal was auctioned on an underground forum.

Data Breaches and Security Incidents in Japan

Standalone breaches and incidents reported this week (deduplicated):

• March 17: Tane General Hospital – a contractor employee lost a USB memory stick containing personal information of 379 patients.

• March 17: Medica Publishing Co., Ltd. – confirmed information leakage following a third-party ransomware attack.

• March 19: Mazda Corporation – possible leakage of 692 employee records (user IDs, names, e-mail addresses, company names, and trading partner IDs) due to unauthorized access to a Thai procurement management system.

 Phishing and Email-Based Attacks Targeting Japan

• ClickFix" Escalation: A 500% increase in attacks where emails prompt users to "fix" document rendering issues by running a malicious PowerShell script.

• The "Metamask 2FA" Lure: A sophisticated campaign targeting Japanese crypto asset holders. Emails claim an "unusual login" and pressure users to enable 2FA via a malicious S3 bucket link.

• McAfee/Norton "Subscription Expired" Scams: Persistent campaign using "scareware" tactics (simulated antivirus scans) to collect billing details. High volume noted in the March 14 – March 20 window.

• AI-Enhanced Business Email Compromise (BEC): Multiple reports of NTT Data identifying deepfake executive impersonations in email/voice-hybrid attacks, bypassing traditional "unnatural Japanese" grammar filters.

APT and State-Sponsored Threats in Japan

• Shadow Campaigns (TGR-STA-1030): Unit 42 identified a state-aligned group targeting Japanese government and critical infrastructure.

• KONNI (North Korea): Ongoing phishing campaign using AI-generated lures in Japanese to target cryptocurrency exchanges and blockchain startups.

• LapDogs (China-Nexus): Use of "Operational Relay Box" (ORB) networks involving compromised Japanese SOHO routers to mask espionage traffic.

Critical Vulnerabilities Affecting Japanese Organizations

Data from JVN (Japan Vulnerability Notes) highlights critical flaws in software commonly used within Japanese enterprises:

• JVNDB-2026-000037 (CVE-2026-2180): High (7.2) - OS Command Injection in OpenLiteSpeed/LSWS Enterprise. Published March 16.

• JVNDB-2026-000039: High (8.3) - Missing Authorization in GROWI (OpenAI thread API). Affects many Japanese tech dev teams. Published March 16.

• JVNDB-2026-000038: High (7.8) - DLL hijacking vulnerability in IBM Trusteer Rapport (widely used by Japanese banks). Published March 17.

• JVNDB-2026-007524: New vulnerability reported in Hitachi Command Suite. Published March 17.

• JVNVU#95093977: Multiple critical flaws in Xerox FreeFlow Core (impacting FUJIFILM BI users in Japan). Published March 19.

Security Recommendations for Japanese Enterprises

• Patch Management: Prioritize patching GROWI and Hitachi Command Suite due to their prevalence in Japanese corporate environments.

• IAB Defense: Monitor for unauthorized VPN/Citrix login attempts from unusual geographic locations; implement FIDO2-based MFA to negate stolen credential value.

• Phishing: Given the KONNI campaign, provide specific training on identifying AI generated Japanese lures which no longer contain traditional "unnatural" grammar.

Future Outlook: Cyber Threat Trends in Japan

Expect a continued surge in "Supply Chain Ransomware," where attackers target smaller Japanese software vendors (like the GROWI or Digital Arts cases) to pivot into larger enterprise clients. Geopolitical tensions are likely to result in more "ORB" network activity utilizing domestic Japanese IoT devices for state-sponsored scanning.