Macnica releases the results of its 2024 investigation into targeted attacks that hit Japanese organizations: Attacks targeting crypto assets are on the rise, and zero-day attacks on externally public assets continue

Macnica (headquarters: Yokohama, Kanagawa Prefecture; Representative Director and President: Kazumasa Hara; hereinafter referred to as Macnica) has written a research report on targeted attacks that landed in Japan in 2024, "The Reality of Targeted Attacks and Countermeasure Approaches, 9th Edition," and is releasing it today.

Targeted attacks that steal confidential information such as personal information, policy-related information, and manufacturing data from Japanese organizations rarely come to light, resulting in Japanese organizations unknowingly losing their competitiveness. Targeted attacks that land on Japanese organizations tend to differ from those in other countries due to geopolitical risks, etc., so it is essential to understand these trends and take measures. Macnica has been conducting its own research on targeted attacks that land on Japanese organizations, mainly through its Security Research Center, and during this research period (April 2024 to March 2025), the following trends were observed.

■ Attack intrusion patterns
・Compromise of public assets: Exploiting a zero-day vulnerability in VPN devices
Many intrusions have been observed in which attackers discover vulnerabilities before security researchers or manufacturers have discovered them and released patches, and exploit those vulnerabilities to launch zero-day attacks. There have been many cases of zero-day vulnerabilities being exploited in edge devices exposed to the outside world, especially in network devices such as VPN devices and firewalls.

・Physical intrusion: Malware infection and intrusion via USB
There has been an increase in cases where malicious files are embedded in USB devices and executed by employees without realizing it. In some cases, the devices have been infected through physical proximity of people thought to be related to the attacker. Although USB device control is a legacy and basic countermeasure, it is becoming increasingly important due to these cases.

・Detection avoidance: EDR evasion・LotL attacks are becoming more active
Since this observation, we have seen an increase in the use of technologies to evade security measures such as EDR on terminals, and Living Off The Land attacks (LotL attacks), which are attacks that exploit legitimate tools used in business without using malware. This report explains the hunting approach to deal with these attacks.

・Social engineering: The popularity of methods that exploit weaknesses in human psychology
In fiscal 2024, we have seen an increase in the observation and detection of attacks in which cryptocurrency-related developers are contacted on social media such as LinkedIn, and are invited to take employment exams or participate in high-paying development projects, but the attackers trick the targets into downloading and executing malicious files and stealing data stored in the browser under the pretext of testing their skills. Web3 and cryptocurrency-related companies and developers are particularly targeted.

■Characteristics of attack groups and industries in which attacks were observed
In fiscal year 2024, the Famous Chollima attack group was actively observed targeting cryptocurrency-related software developers, infecting them with BeaverTail and InvisibleFerret. In addition, attacks by the APT-37 attack group using the RokRAT backdoor to upload stolen data to legitimate cloud storage were also observed.
Next, attacks using the PlugX malware of the TELEBOYi attack group, which has been observed since last year, and attacks using a type of PlugX that spreads via USB by Mustang Panda have also been observed. In addition, attacks using WinDivert to evade detection by disrupting communication with endpoint security servers have been observed. In 2025, zero-day vulnerability attacks on Ivanti's VPN devices were actively observed at the same time as the previous year, and spear phishing aimed at infecting MirrorFace's ANEL in March. In addition, multiple attacks have been observed, mainly targeting overseas manufacturing bases, where attacks exploiting vulnerabilities in VPN devices were used to infiltrate and were detected in the system and network reconnaissance phase of LotL attacks.

<Attack surface ratio (2024)>

Macnica will continue to persistently analyze and raise awareness of targeted attacks, which are gradually eroding the industrial competitiveness of Japanese companies, and will strive to reduce the damage caused by targeted attacks on Japanese companies as much as possible.

[The report's public URL is here]
https://www.macnica.co.jp/business/security/security-reports/147750/index.html

*Company names and product names mentioned in this text are trademarks or registered trademarks of Macnica and each company.
*The information published in the news release (including product price, specifications, etc.) is current as of the date of announcement. Please note that the information may be subject to change without prior notice.