[2nd Week of June 2026] From Zero-Day Attacks to State-Sponsored Attacks: 4 Latest Threats Targeting Japanese Companies

The threats identified this week make it clear that the notion that “old vulnerabilities are safe” no longer holds true.

In addition to zero-day attacks targeting systems used within Japan, we have observed phishing attacks targeting financial services, scams targeting travelers, and even state-sponsored attacks exploiting vulnerabilities that were patched several years ago.

Attackers are actively targeting not only the latest vulnerabilities but also operational gaps and missed updates. Companies are required to maintain continuous monitoring and thoroughly implement basic security measures.

[Threat 1] Zero Day Exploitation in Japan’s Popular LMS KnowledgeDeliver 

A high-severity flaw (CVE-2026-5426) in the widely used Japanese Learning Management System, KnowledgeDeliver, was actively exploited as a zero-day via hard-coded ASP.NET machine keys. Threat actors leveraged the shared secret to execute unauthenticated remote code through ViewState deserialization, planting the Godzilla web shell to gain server control. The attackers then injected fake security alerts onto the compromised LMS sites, tricking visitors into downloading a tailored loader that dropped Cobalt Strike Beacon. 

Source: thehackernews.com/2026/05/knowledgedeliver... 

Recommended Action: Immediately update all Digital Knowledge KnowledgeDeliver instances to versions released after February 24, 2026, rotate the default ASP.NET machine keys, and audit web application directories for unauthorized JavaScript modifications. 

[Threat 2] Fraudulent eSIM Schemes Target Tourists in Japan 

A rising phishing and fraud wave in Japan involves malicious actors posing as legitimate eSIM providers to exploit tourists and new arrivals unfamiliar with local telecom practices. These scammers lure victims using sophisticated, official-looking clone websites and unsolicited messages offering unrealistically cheap data plans, ultimately stealing financial credentials or identity details without delivering services. Tourists caught in the scam risk immediate network disruption, financial loss, and long-term identity theft through compromised personal data. 

Source: wirelessgate.com/japan-esim/articles... 

Recommended Action: Verify eSIM vendors through official carrier lists, immediately isolate compromised devices from financial accounts if scammed, and report incidents to the National Consumer Affairs Center of Japan or local police. 

[Threat 3] CFD Brokers Confront Phishing Surge as IG Japan Makes 2FA Compulsory 

IG Securities is making 2FA compulsory by June to counter a severe industry-wide surge in phishing scams, locking out any users who fail to activate it. Concurrently, the broker disclosed a massive data mishandling issue where unauthorized internal employees had access to personal data and "My Number" IDs of 162,879 clients. Furthermore, a contractor oversight exposed an additional 29,734 customer records on an unapproved external server, while the firm abruptly halted retail vanilla options trading. 

Source: financemagnates.com/forex/cfd-brokers... 

Recommended Action: Enforce mandatory 2FA across all trading platforms immediately, audit third-party server permissions, and implement strict role-based access controls to restrict internal visibility of sensitive customer data like "My Number" details. 

[Threat 4] Kimsuky Exploits BlueKeep Vulnerability in South Korea and Japan 

The North Korean state-backed threat group Kimsuky is actively exploiting the severe, wormable "BlueKeep" RDP vulnerability (CVE-2019-0708) to compromise infrastructure across Japan and South Korea. Despite the patch being available since 2019, legacy unpatched systems allowed the actors to achieve unauthenticated remote code execution and gain initial network entry. Once inside, the group utilized advanced lateral movement and privilege escalation techniques to maintain persistence and exfiltrate sensitive institutional data. 

Source: paranoidcybersecurity.com/breach/kimsuky... 

Recommended Action: Immediately audit all external-facing assets for exposed RDP ports, apply the Microsoft security updates for CVE-2019-0708 to any legacy Windows systems, and enforce network segmentation alongside multi-factor authentication for remote access. 

Finally

AI environments are often presented as "tools,"

The moment they are made public, they become assets that carry the exact same risks as servers.

The recent GHOST campaign is a classic example of an attack that exploits this perception gap.

First, start by checking how your company's AI environment looks from the outside.

Thank you for reading this far.

We at PIPELINE Corporation are a group of experts specializing in cybersecurity and threat intelligence.

We face threats together with our customers on-site every day.

"Even if we have a specialized team within the company, we lack the resources," "We don't know where to start," and "We want to prepare realistically, assuming we will be attacked."

We receive many inquiries like this. Regardless of the size of the company, the current situation is that weak points in defenses are easily targeted.

Furthermore, trying to handle everything internally inevitably makes it easier for things to be overlooked.

That's why we focus on practical methods that are useful in the field, rather than idealistic theories, and propose a small-scale, easy-to-implement approach. Even "a small step within your capabilities" can make a big difference in safety.

If you have any concerns at all, please feel free to contact us. Let's work together to find the quickest way to strengthen your security.