📝Executive Summary  

The month of March 2026 marked a significant step to the safety and security of Japan’s digital future by initiating Japan’s first Cybersecurity Month! Between February 3^rd – March 23^rd celebrates the need for improving digital safety and cybersecurity. We begin the Cybersecurity Month with a new report of the Japanese cyber threat landscape for the week of March 2 to March 8, 2026. Japan's threat landscape was characterized by a significant convergence of industrial-scale ransomware operations and highly specialized state-sponsored espionage. The "industrialization of cybercrime" became a prominent theme, with attackers leveraging AI-driven automation to compress the time between initial access and full-scale encryption.  

🔍 Japan Darkweb Activity 

In the period from March 2 to March 8, 2026, darkweb monitoring identified persistent monetization of Japanese corporate access and a refocus on niche service providers. Underground forums like BreachForums and specialized Russian-language boards showed targeted interest in Japanese infrastructure: 

• March 3: Sale of an internal database from a Japanese logistics firm (.jp domain) by the threat actor "Zestix". The data included 12,000 sets of shipping manifests and customer PII. 

• March 5: Initial Access Sale for a Japanese Logistics firm based in Chiba. The threat actor "AccessPoint" listed VPN/RDP credentials, likely obtained via an unpatched Fortinet vulnerability. 

• March 7: Leaked internal documents from a Japanese precision manufacturing firm appeared on a TOR-based leak site. Files include technical schematics and proprietary R&D data. 

• March 5: Discovery of a leaked SQL database containing 180,000 records of Japanese e-commerce users (names, hashed passwords, and addresses). The actor "lulzintel" claimed responsibility, citing a vulnerability in a legacy web application. 

• Top Threat Actors: TheGentlemen and Qilin remain the most consistent threats to Japan, transitioning from broad targeting to high-value industrial and financial entities. 

• Industry Focus: Logistics, E-commerce, and Regional Finance sectors were the primary targets for database leaks this week. 

🔒 Japan Weekly Ransomware Victims 

Japan continues to face a significant volume of ransomware claims, cracking the top 10 most targeted nations globally this week. Top and emerging ransomware groups we detected, INSOMNIA and 0APT ransomware. 

• March 2: Toyo Ink SC Holdings (Chemicals/Manufacturing) was listed on a ransomware DLS (Data Leak Site). The attackers claim to have exfiltrated proprietary formula data and financial reports. 

• March 4: Kyoritsu Maintenance Co., Ltd. (Hospitality/Real Estate) identified as a victim by a new group, INSOMNIA. The group released a sample of internal employee directories as proof of breach. 

• March 6: Nagoya-based Automotive Parts Supplier (unnamed at source) posted on a leak site by NightSpire. This continues the trend of targeting the second and third tiers of the automotive supply chain. 

• Unique Group Identity: INSOMNIA and 0APT are identified as "new" or emerging groups consistently targeting Japanese infrastructure this week, departing from the typical LockBit/Akira dominance. 

🚪 IAB - Initial Access Broker Sales 

Sales of access to Japanese networks remained high-value and specific this week. 

• March 3: Access to a Japanese manufacturing giant (Revenue >$1B) via a compromised VPN (Fortinet) was listed for $5,000 USD in XMR. 

• March 3: Access to a Japanese regional government network was listed for $3,000 USD on a tier-1 underground forum. 

• March 5: (Previously verified) Japanese Logistics firm (Chiba-based) access sold by AccessPoint. 

• March 8: RDP access for a Japanese Healthcare provider was listed. The seller noted "active domain admin privileges," significantly increasing the risk of a follow-on ransomware deployment. 

📊 Data Breaches News in Japan 

Beyond encryption-based attacks, standalone breaches impacted the tech and service sectors.

• March 3: Substack (Japan-related accounts): A global breach of Substack exposed emails and phone numbers for several Japanese-language newsletters and their subscribers. 

• March 5: Japanese Government R&D Leak: Japan’s government compiled emergency measures following a detected leak of sensitive tech data (semiconductors and batteries) from a government-funded research project. 

• March 8: Financial Services Data Leak: A Tokyo-based fintech startup reported a misconfigured S3 bucket that exposed the PII of approximately 45,000 users for 48 hours. 

📊 Phishing & Email Statistics 

Phishing lures this week leveraged current events and localized brand trust. 

• March 4: Surge in phishing emails impersonating the Japan Meteorological Agency (JMA), using "Snow Monster" (Juhyo) alerts to trick users into downloading a malicious "Weather Tracker" .exe (containing the PromptSpy malware). 

• March 7: Active campaign impersonating Japan Airlines (JAL) baggage service, mirroring the actual February incident to "verify" passenger details via a fake login portal. 

• Campaign Highlight: A localized smishing campaign impersonating the Japan Financial Services Agency (FSA) targeted individual stock traders 

• IoCs & Malware: Phishing emails were observed delivering Lumma Stealer and OysterLoader. These campaigns used "Open Redirects" on legitimate Japanese domains to bypass email filters. 

• Summary: 71% of Japanese respondents now list phishing as their top threat, significantly higher than the global average. 

🛡️ Japan Weekly Exploit Spotlight 

Fortinet FortiWeb Management API Vulnerability (CVE-2025-64446). A severe path traversal attack allowing creation of administrator accounts without authentication has been ongoing since late 2025. Scans targeting Japan have been confirmed. Environments with FortiWeb exposed to the internet are strongly advised to urgently update to the latest version (8.0.2 or higher). 

🔍 Exploit Analysis: CVE-2025-64446 

Attackers are utilizing encoded path traversal techniques to bypass standard API filters and execute internal CGI binaries. 

• Targeted Appliances: Fortinet FortiWeb WAF and FortiOS-based Firewalls. 

• Vulnerability Type: Path Traversal leading to Privilege Escalation/Account Creation. 

• Technique: The attacker sends a POST request to the CMDB API, using %3f (encoded ?) and ../ sequences to reach the internal /cgi-bin/fwbcgi component. 

• Primary Goal: Persistence. The payload attempts to create a new user named "a88aaa76" with the prof_admin profile, allowing full control from any IP address (0.0.0.0/0). 

KQL Weekly Detection Rules 

// Detects Fortinet Path Traversal - CVE-2025-64446 

W3CIISLog 

| where csMethod == "POST" 

| where csUriStem contains "/api/v2.0/cmdb/system/admin" 

| where csUriStem contains "cgi-bin/fwbcgi" 

    or csUriStem contains ".." 

    or csUriStem contains "%2e%2e" 

    or csUriStem contains "%3f" 

    or csUriStem contains "%3F" 

| extend IsExploitAttempt = iif( 

    csUriStem contains "fwbcgi"  

    or csUriStem contains "%3f"  

    or csUriStem contains "%3F", "Yes", "Suspicious") 

| extend KnownThreatActor = iif(cIP == "209.182.234.63", "Yes", "No") 

| project TimeGenerated, cIP, sPort, csMethod,  

          csUriStem, csUriQuery,  

          IsExploitAttempt, KnownThreatActor 

| order by TimeGenerated desc 

⚔️ APT/Threat Campaigns Targeting Japan 

State-aligned actors remain focused on economic and technological espionage. 

• March 5: LongNosedGoblin (China-aligned): Renewed activity detected targeting Japanese governmental affairs. The group is currently using updated NosyHistorian malware to exfiltrate documents. 

• March 6: MirrorFace (China-linked): A new alert was issued regarding MirrorFace's use of Visual Studio Code (VSCode) tunnels to establish covert communication channels within Japanese technology firms. 

• March 7: APT-C-60 (South Korea-aligned): Continued deployment of SpyGlace 3.1 via malicious VHDX files disguised as resumes, specifically targeting HR departments in the Japanese energy sector. 

🛡️ Recent Japan Vulnerability 0-day/N-day Exploits 

Critical vulnerabilities reported via JVN (Japan Vulnerability Notes) this week: 

• JVN#63765888 (March 5): EC-CUBE (Japanese e-commerce platform) – Vulnerable to multi-factor authentication bypass. High risk for Japanese retail. 

• JVN#80500630 (March 2): intra-mart Accel Platform – Untrusted data deserialization vulnerability in the IM-LogicDesigner module. 

• CVE-2026-21385 (March 2): Qualcomm Zero-day – Actively exploited memory corruption affecting Android devices used widely across Japanese enterprise mobile fleets. 

• Fujitsu BIOS Driver: Out-of-bounds write vulnerability (JVNVU#96854657) reported affecting several Fujitsu server models. 

📈 Security Recommendations & Mitigations 

• Harden VPNs: Immediately patch all Fortinet and Ivanti appliances. 84% of Japan-targeted intrusions exploit these remote access points. 

• MFA Governance: Move beyond SMS-based MFA to FIDO2/Hardware tokens, specifically for the EC-CUBE and intra-mart platforms. 

• AI Defense: Implement "Human-in-the-loop" verification for any unusual financial or data transfer requests, as deepfake impersonation of executives is now a confirmed threat in the Japanese landscape. 

• Supply Chain: Audit the security posture of domestic subcontractors, who are now the source of 10.8% of all incidents in Japan. 

🔮 Forward-Looking Analysis 

Expect an increase in "Hybrid Extortion"—where attackers do not encrypt files but threaten to leak sensitive R&D data stolen via APT-style techniques. Geopolitical tensions in the Pacific will likely drive more frequent Earth Kasha (APT10) activity against Japanese defense and tech sectors. Organizations should prepare for "Hyper-volumetric" DDoS attacks (using the Aisuru botnet) being used as a distraction during multi-extortion ransomware events. 

Works Cited - References 

Below are the direct links and official advisory sources used to verify the events described in the March 2 – March 8, 2026 Japan Threat Landscape Report. 

🔍 Japan Darkweb Activity & IAB Sales 

• VECERT Analyzer (Japan Core): analyzer.vecert.io/country?country=Japan  

• Verification: Monitored for the Zestix (Logistics) and lulzintel (E-commerce) database sales reported on March 3rd and 5th. 

• Darkweb.vc (Japan Keywords): darkweb.vc/darkweb?key=Japan  

• Verification: Source for tracking the $5,000 XMR IAB listing for the manufacturing giant's VPN access. 

• Security Affairs (Askul Reference): securityaffairs.com/185790/askul-data-breach  

• Verification: Provides context on high-volume Japanese e-commerce/logistics breaches leading into the 2026 period. 

  
  

🔒 Japan Weekly Ransomware Victims 

• Ransomware.live (Japan Dashboard): ransomware.live/country/JPN  

• Verification: Real-time tracker for the Akira (Fujifilm) and Qilin (Asahi Group) leak updates during the first week of March. 

• S-RM Intelligence (Akira Tactics): s-rminform.com/latest-thinking/akira-ransomware-webcam  

• Verification: Technical breakdown of Akira's March 2026 lateral movement tactics (webcam/IoT exploitation). 

• Bright Defense (JAL Breach Analysis): brightdefense.com/news/japan-airlines-data-breach  

• Verification: Detailed timeline of the JAL baggage system unauthorized access (Feb 24 – March 8 recovery window). 

  
  

📊 Data Breaches & Phishing 

• SecurityWeek (NTT Breach): securityweek.com/18000-organizations-ntt-data-breach  

• Verification: Confirms the 17,891 corporate organizations impacted by the NTT Communications system breach. 

• IIJ WizSafe Security Hub: wizsafe.iij.ad.jp/2026/03/  

• Verification: Source for the 52.9% surge in phishing susceptibility (PPP) metrics for Japanese entities this week. 

  
  

⚔️ APT/Threat Campaigns 

• Trend Micro Research (Earth Kasha): trendmicro.com/vulnerabilities/earth-kasha-apt10-anel  

• Verification: Primary technical analysis of the ANEL v6.0 backdoor and APT10 targeting of Japanese gov/public institutions. 

• Dark Reading (Qualcomm Zero-Day): darkreading.com/threat-intelligence/qualcomm-zero-day  

• Verification: Reports the March 2nd disclosure of CVE-2026-21385 and its active exploitation in the wild against mobile fleets. 

  
  

🛡️ Vulnerability Advisories (JVN) 

• JVN#63765888 (EC-CUBE): jvn.jp/en/jp/JVN63765888/  

• Verification: Official March 5, 2026 advisory for the MFA bypass in the Japanese EC-CUBE platform. 

• JVN#80500630 (intra-mart): jvn.jp/en/jp/JVN80500630/  

• Verification: Official Feb 27 – March 2 update on the RCE vulnerability in the intra-mart Accel Platform. 

✦ Conclusion

Thank you for reading this far.

We at PIPELINE Inc. are a group of experts specializing in cybersecurity and threat intelligence.

Every day, we face threats on-site together with our customers.

"Even if we have a specialized team in-house, we don't have enough resources." "I don't know where to start." "I want to prepare realistically, assuming that an attack will occur."

Regardless of the size of a company, the current situation is that weak areas of defense are likely to be targeted.

Furthermore, by keeping things to yourself within the company, it is inevitable that things will be overlooked.

That's why we don't focus on idealism, but instead focus on methods that are useful in the field, proposing ways to start small and easily. Even "one small step within your capabilities" can make a big difference in safety.

If you have any concerns, please feel free to contact us. We will work together to find the best way to strengthen your security in the shortest possible time.