{ "type": "Domain", "indicator": "escaperoomhub.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/escaperoomhub.com", "alexa": "http://www.alexa.com/siteinfo/escaperoomhub.com", "indicator": "escaperoomhub.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4282470188, "indicator": "escaperoomhub.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69c7fe028b39a27c589226aa", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into opening malicious links or attachments. The campaign capitalizes on the high volume of legitimate financial and HR communications during this period, increasing the risk of compromise. Silver Fox has expanded its targets from Chinese-speaking entities to Southeast Asia, Japan, and potentially North America. The group uses ValleyRAT, a remote access trojan, to gain control of compromised machines and steal sensitive information. To protect against this threat, organizations should increase vigilance, reinforce awareness about phishing attempts, and verify the authenticity of tax- and HR-themed requests.", "modified": "2026-04-27T16:10:38.865000", "created": "2026-03-28T16:12:50.911000", "tags": [ "targeted attacks", "valleyrat", "financial lures", "hr lures", "tax season", "spearphishing", "remote access trojan", "japan" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 47, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386474, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cdce444302cdd20d8033a0", "name": "IOC - A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Japan has entered its annual tax filing and organizational change season, a period when companies generate a high volume of legitimate financial and HR\u2011related communications. A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.", "modified": "2026-05-02T02:08:50.595000", "created": "2026-04-02T02:02:44.414000", "tags": [ "silver foxowned", "valleyrat c", "c server", "rainbow network", "limited", "alibaba cloud", "na tencent", "building", "na alibaba", "cloud" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "URL": 7, "domain": 9 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c964ac4189796968e74228", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Silver Fox is a cyber threat actor that has resumed its targeted spearphishing campaign in Japan, capitalizing on the annual tax filing and organizational change season when employees are more likely to open communications related to financial matters without scrutiny. The campaign involves sending deceptive emails that appear legitimate and are related to tax compliance, salary adjustments, job changes, and employee stock ownership plans. Given the heightened volume of legitimate communications during this period, employees may overlook signs of fraudulent emails, increasing the risk of compromise.", "modified": "2026-04-28T17:01:55.604000", "created": "2026-03-29T17:43:08.155000", "tags": [ "zip archive", "rar archive", "silver foxowned", "valleyrat c", "c server", "global pte", "cloud", "silver fox", "compromise", "welivesecurity", "first" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Silver_fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "Finance", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "domain": 9 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb4c964f8129cc49ac039e", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "", "modified": "2026-04-27T16:10:38.865000", "created": "2026-03-31T04:24:54.828000", "tags": [ "targeted attacks", "valleyrat", "financial lures", "hr lures", "tax season", "spearphishing", "remote access trojan", "japan" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": "69c7fe028b39a27c589226aa", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 47, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c65717c91585ca938eaf23", "name": "52352523525", "description": "A security researcher has identified a \"cunningpredator\" that targets companies in Japan and is targeting their tax-season tax season, as well as their employees' salaries, in the form of Silver Fox.", "modified": "2026-04-26T10:13:56.593000", "created": "2026-03-27T10:08:23.308000", "tags": [ "zip archive", "rar archive", "silver foxowned", "valleyrat c", "c server", "global pte", "cloud", "silver fox", "compromise", "welivesecurity", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "domain": 9 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/", "IOCs.2026.pdf" ], "related": { "alienvault": { "adversary": [ "Void Arachne" ], "malware_families": [ "Valleyrat" ], "industries": [ "Manufacturing" ] }, "other": { "adversary": [ "Silver_fox", "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "Void Arachne" ], "malware_families": [ "Valleyrat" ], "industries": [ "Finance", "Government", "Manufacturing", "Healthcare", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69c7fe028b39a27c589226aa", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Silver Fox, a threat actor, is exploiting Japan's tax filing and organizational change season with a targeted spearphishing campaign against Japanese businesses. The group sends convincing phishing emails related to tax compliance, salary adjustments, and HR matters, tricking recipients into opening malicious links or attachments. The campaign capitalizes on the high volume of legitimate financial and HR communications during this period, increasing the risk of compromise. Silver Fox has expanded its targets from Chinese-speaking entities to Southeast Asia, Japan, and potentially North America. The group uses ValleyRAT, a remote access trojan, to gain control of compromised machines and steal sensitive information. To protect against this threat, organizations should increase vigilance, reinforce awareness about phishing attempts, and verify the authenticity of tax- and HR-themed requests.", "modified": "2026-04-27T16:10:38.865000", "created": "2026-03-28T16:12:50.911000", "tags": [ "targeted attacks", "valleyrat", "financial lures", "hr lures", "tax season", "spearphishing", "remote access trojan", "japan" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 47, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386474, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cdce444302cdd20d8033a0", "name": "IOC - A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Japan has entered its annual tax filing and organizational change season, a period when companies generate a high volume of legitimate financial and HR\u2011related communications. A threat actor known as Silver Fox is actively exploiting this busy period by conducting a targeted spearphishing campaign against Japanese manufacturers and other businesses.", "modified": "2026-05-02T02:08:50.595000", "created": "2026-04-02T02:02:44.414000", "tags": [ "silver foxowned", "valleyrat c", "c server", "rainbow network", "limited", "alibaba cloud", "na tencent", "building", "na alibaba", "cloud" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "URL": 7, "domain": 9 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c964ac4189796968e74228", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "Silver Fox is a cyber threat actor that has resumed its targeted spearphishing campaign in Japan, capitalizing on the annual tax filing and organizational change season when employees are more likely to open communications related to financial matters without scrutiny. The campaign involves sending deceptive emails that appear legitimate and are related to tax compliance, salary adjustments, job changes, and employee stock ownership plans. Given the heightened volume of legitimate communications during this period, employees may overlook signs of fraudulent emails, increasing the risk of compromise.", "modified": "2026-04-28T17:01:55.604000", "created": "2026-03-29T17:43:08.155000", "tags": [ "zip archive", "rar archive", "silver foxowned", "valleyrat c", "c server", "global pte", "cloud", "silver fox", "compromise", "welivesecurity", "first" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Silver_fox", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [ "Finance", "Healthcare", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "domain": 9 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cb4c964f8129cc49ac039e", "name": "A cunning predator: How Silver Fox preys on Japanese firms this tax season", "description": "", "modified": "2026-04-27T16:10:38.865000", "created": "2026-03-31T04:24:54.828000", "tags": [ "targeted attacks", "valleyrat", "financial lures", "hr lures", "tax season", "spearphishing", "remote access trojan", "japan" ], "references": [ "https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/" ], "public": 1, "adversary": "Void Arachne", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null } ], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": "69c7fe028b39a27c589226aa", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 47, "FileHash-SHA256": 9, "domain": 9 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c65717c91585ca938eaf23", "name": "52352523525", "description": "A security researcher has identified a \"cunningpredator\" that targets companies in Japan and is targeting their tax-season tax season, as well as their employees' salaries, in the form of Silver Fox.", "modified": "2026-04-26T10:13:56.593000", "created": "2026-03-27T10:08:23.308000", "tags": [ "zip archive", "rar archive", "silver foxowned", "valleyrat c", "c server", "global pte", "cloud", "silver fox", "compromise", "welivesecurity", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jellybean123", "id": "359279", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 47, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "domain": 9 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "34 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "escaperoomhub.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "escaperoomhub.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780197442.9404252 }