Phishing Campaign Targeting Japanese Speakers

    Monday, September 22, 2025 In: Threat Research Print

    Date: 09/22/2025

    Severity: High

    Summary

    Since April 2025, we've observed a surge in email phishing targeting Japanese speakers. These campaigns impersonate companies like Amazon, Apple, and Japan Airlines. Emails often appear as fake purchase notices or safety alerts with convincing phishing links. Early attacks included fake Amazon CAPTCHA pages to steal user credentials. The goal is to harvest sensitive data through deceptive, company-branded messages.

    Indicators of Compromise (IOC) List   

    Domains\URLs : 

    jp.tsity.com/token?token=3DZcfA7BJe=

    piy.wjzmzp.com/token?token=3DW0bVUzYu4T4Q64E=

    telogin.jjh521.com/token?token=3Dv4jl4FxperZa=

     jump.activeeve.com/IHdPmS?amazon.co.jp/amazon_update&amp

    jump.gdblmcp.com/RAIMyn?www.amazon.co.jp/ap/signin

    https://www.amazon.co.jp.gearheinz.com/ap/signin/

    aqielaxi.cn/ap/signin/openid/net2F

    cfsrvbu.cn/ap/signin/openid/net2F

    moqcxu.cn/ap/signin/openid/net2F

    orqiwiaa.cn/ap/signin/openid/net2F

    nmfoq.cn/ap/signin/openid/net2F

    pspmdeeo.cn/ap/signin/openid/net2F

    rnctj.cn/ap/signin/openid/net2F

    rxupja.cn/ap/signin/openid/net2F

    snrmfxko.cn/ap/signin/openid/net2F

    uxfjl.cn/ap/signin/openid/net2F

    vlupe.cn/ap/signin/openid/net2F

    secure.oamzon.co.jp.icatlar.net

    secure.oamzon.co.jp.ideeco.net

    secure.oamzon.co.jp.ispol.net

    secure.oamzon.co.jp.itbdqn.net

    secure.oamzon.co.jp.jiahongdiban.com

    secure.oamzon.co.jp.kamicop.net

    secure.oamzon.co.jp.largessemedia.com

    secure.oamzon.co.jp.leaderga.com

    secure.oamzon.co.jp.linefilm.net

    secure.oamzon.co.jp.lmsconsult.net

    78jn0dq.cn/puvxrokt

    a8wcinm.cn/puvxrokt

    drsxsz.cn/puvxrokt

    ksh3c3n.cn/signIn/account/ssi=

    mqccf.cn/puvxrokt

    fhrkn.cn/koljin/tep/direct/loging/shink=A4MzY

    e-t-c-meisai3.an4yu.cyou/wfuucigy

    jump.smxxns.com/jloxWv?https://www.ana.co.jp/ja/jp/

    track.darack.com/zX440m?www.jal.com//up

    IP Address : 

    43.165.185.55

    47.79.145.68

    47.79.150.163

    Email Address : 

    Amazon.ai_iii@vftvhnw.com

    Amazon.asa.e@futagawa-foods.co.jp

    Amazon.cetoru@gyutan.jp

    Amazon.embutsu@nypf.com

    Amazon.kainanatai@news.wowma.jp

    Amazon.kiyoantx10@f65eqr.kyxbe.cn

    Amazon.ktakeru@azsia.net

    Amazon.nimdras@ld-lab.co.jp

    Amazon.syatem@kucek.net

    Amazon.tetsu-i@elkns.com

    Amazon.tolui@api.youvit.co.id

    Amazon.yumoka3@rflt.com

    Apple.bonkin@jgau.com

    Apple.kiraku@fzIm.com

    Apple.jv0159nh@dutts.net

    Apple.sankyu@zoLK.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "secure.oamzon.co.jp.kamicop.net" or url like "secure.oamzon.co.jp.kamicop.net" or siteurl like "secure.oamzon.co.jp.kamicop.net" or domainname like "secure.oamzon.co.jp.lmsconsult.net" or url like "secure.oamzon.co.jp.lmsconsult.net" or siteurl like "secure.oamzon.co.jp.lmsconsult.net" or domainname like "secure.oamzon.co.jp.icatlar.net" or url like "secure.oamzon.co.jp.icatlar.net" or siteurl like "secure.oamzon.co.jp.icatlar.net" or domainname like "secure.oamzon.co.jp.linefilm.net" or url like "secure.oamzon.co.jp.linefilm.net" or siteurl like "secure.oamzon.co.jp.linefilm.net" or domainname like "secure.oamzon.co.jp.itbdqn.net" or url like "secure.oamzon.co.jp.itbdqn.net" or siteurl like "secure.oamzon.co.jp.itbdqn.net" or domainname like "secure.oamzon.co.jp.largessemedia.com" or url like "secure.oamzon.co.jp.largessemedia.com" or siteurl like "secure.oamzon.co.jp.largessemedia.com" or domainname like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or url like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or siteurl like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or domainname like "secure.oamzon.co.jp.jiahongdiban.com" or url like "secure.oamzon.co.jp.jiahongdiban.com" or siteurl like "secure.oamzon.co.jp.jiahongdiban.com" or domainname like "jump.activeeve.com/IHdPmS?amazon.co.jp/amazon_update&amp" or url like jump.activeeve.com/IHdPmS?amazon.co.jp/amazon_update&amp" or siteurl like jump.activeeve.com/IHdPmS?amazon.co.jp/amazon_update&amp" or domainname like "jump.gdblmcp.com/RAIMyn?www.amazon.co.jp/ap/signin" or url like "jump.gdblmcp.com/RAIMyn?www.amazon.co.jp/ap/signin" or siteurl like "jump.gdblmcp.com/RAIMyn?www.amazon.co.jp/ap/signin" or domainname like "cfsrvbu.cn/ap/signin/openid/net2F" or url like "cfsrvbu.cn/ap/signin/openid/net2F" or siteurl like "cfsrvbu.cn/ap/signin/openid/net2F" or domainname like "rnctj.cn/ap/signin/openid/net2F" or url like "rnctj.cn/ap/signin/openid/net2F" or siteurl like "rnctj.cn/ap/signin/openid/net2F" or domainname like "rxupja.cn/ap/signin/openid/net2F" or url like "rxupja.cn/ap/signin/openid/net2F" or siteurl like "rxupja.cn/ap/signin/openid/net2F" or domainname like "secure.oamzon.co.jp.ideeco.net" or url like "secure.oamzon.co.jp.ideeco.net" or siteurl like "secure.oamzon.co.jp.ideeco.net" or domainname like "secure.oamzon.co.jp.ispol.net" or url like "secure.oamzon.co.jp.ispol.net" or siteurl like "secure.oamzon.co.jp.ispol.net" or domainname like "secure.oamzon.co.jp.leaderga.com" or url like "secure.oamzon.co.jp.leaderga.com" or siteurl like "secure.oamzon.co.jp.leaderga.com" or domainname like "78jn0dq.cn/puvxrokt" or url like "78jn0dq.cn/puvxrokt" or siteurl like "78jn0dq.cn/puvxrokt" or domainname like "ksh3c3n.cn/signIn/account/ssi=" or url like "ksh3c3n.cn/signIn/account/ssi=" or siteurl like "ksh3c3n.cn/signIn/account/ssi=" or domainname like "mqccf.cn/puvxrokt" or url like "mqccf.cn/puvxrokt" or siteurl like "mqccf.cn/puvxrokt" or domainname like "fhrkn.cn/koljin/tep/direct/loging/shink=A4MzY" or url like "fhrkn.cn/koljin/tep/direct/loging/shink=A4MzY" or siteurl like "fhrkn.cn/koljin/tep/direct/loging/shink=A4MzY" or domainname like "e-t-c-meisai3.an4yu.cyou/wfuucigy" or url like "e-t-c-meisai3.an4yu.cyou/wfuucigy" or siteurl like "e-t-c-meisai3.an4yu.cyou/wfuucigy" or domainname like "jump.smxxns.com/jloxWv?https://www.ana.co.jp/ja/jp/" or url like "jump.smxxns.com/jloxWv?https://www.ana.co.jp/ja/jp/" or siteurl like "jump.smxxns.com/jloxWv?https://www.ana.co.jp/ja/jp/" or domainname like "track.darack.com/zX440m?www.jal.com//up" or url like "track.darack.com/zX440m?www.jal.com//up" or siteurl like "track.darack.com/zX440m?www.jal.com//up" or domainname like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or url like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or siteurl like "https://www.amazon.co.jp.gearheinz.com/ap/signin/" or domainname like "secure.oamzon.co.jp.jiahongdiban.com" or url like "secure.oamzon.co.jp.jiahongdiban.com" or siteurl like "secure.oamzon.co.jp.jiahongdiban.com" or domainname like "snrmfxko.cn/ap/signin/openid/net2F" or url like "snrmfxko.cn/ap/signin/openid/net2F" or siteurl like "snrmfxko.cn/ap/signin/openid/net2F" or domainname like "a8wcinm.cn/puvxrokt" or url like "a8wcinm.cn/puvxrokt" or siteurl like "a8wcinm.cn/puvxrokt" or domainname like "piy.wjzmzp.com/token?token=3DW0bVUzYu4T4Q64E=" or url like "piy.wjzmzp.com/token?token=3DW0bVUzYu4T4Q64E=" or siteurl like "piy.wjzmzp.com/token?token=3DW0bVUzYu4T4Q64E=" or domainname like "vlupe.cn/ap/signin/openid/net2F" or url like "vlupe.cn/ap/signin/openid/net2F" or siteurl like "vlupe.cn/ap/signin/openid/net2F" or domainname like "jp.tsity.com/token?token=3DZcfA7BJe=" or url like "jp.tsity.com/token?token=3DZcfA7BJe=" or siteurl like "jp.tsity.com/token?token=3DZcfA7BJe=" or domainname like "uxfjl.cn/ap/signin/openid/net2F" or url like "uxfjl.cn/ap/signin/openid/net2F" or siteurl like "uxfjl.cn/ap/signin/openid/net2F" or domainname like "drsxsz.cn/puvxrokt" or url like "drsxsz.cn/puvxrokt" or siteurl like "drsxsz.cn/puvxrokt" or domainname like "orqiwiaa.cn/ap/signin/openid/net2F" or url like "orqiwiaa.cn/ap/signin/openid/net2F" or siteurl like "orqiwiaa.cn/ap/signin/openid/net2F" or domainname like "mqccf.cn/puvxrokt" or url like "mqccf.cn/puvxrokt" or siteurl like "mqccf.cn/puvxrokt" or domainname like "telogin.jjh521.com/token?token=3Dv4jl4FxperZa=" or url like "telogin.jjh521.com/token?token=3Dv4jl4FxperZa=" or siteurl like "telogin.jjh521.com/token?token=3Dv4jl4FxperZa=" or domainname like "nmfoq.cn/ap/signin/openid/net2F" or url like "nmfoq.cn/ap/signin/openid/net2F" or siteurl like "nmfoq.cn/ap/signin/openid/net2F" or domainname like "moqcxu.cn/ap/signin/openid/net2F" or url like "moqcxu.cn/ap/signin/openid/net2F" or siteurl like "moqcxu.cn/ap/signin/openid/net2F" or domainname like "pspmdeeo.cn/ap/signin/openid/net2F" or url like "pspmdeeo.cn/ap/signin/openid/net2F" or siteurl like "pspmdeeo.cn/ap/signin/openid/net2F" or domainname like "aqielaxi.cn/ap/signin/openid/net2F" or url like "aqielaxi.cn/ap/signin/openid/net2F" or siteurl like "aqielaxi.cn/ap/signin/openid/net2F"

    Detection Query 2 :

    dstipaddress IN ("43.165.185.55","47.79.145.68","47.79.150.163") or srcipaddress IN ("43.165.185.55","47.79.145.68","47.79.150.163")

    Detection Query 3 :

    sender IN ("Amazon.ai_iii@vftvhnw.com","Amazon.asa.e@futagawa-foods.co.jp","Amazon.cetoru@gyutan.jp","Amazon.embutsu@nypf.com","Amazon.kainanatai@news.wowma.jp","Amazon.kiyoantx10@f65eqr.kyxbe.cn","Amazon.ktakeru@azsia.net","Amazon.nimdras@ld-lab.co.jp","Amazon.syatem@kucek.net","Amazon.tetsu-i@elkns.com","Amazon.tolui@api.youvit.co.id","Amazon.yumoka3@rflt.com","Apple.bonkin@jgau.com","Apple.kiraku@fzIm.com","Apple.jv0159nh@dutts.net","Apple.sankyu@zoLK.com")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-19-phishing-activity-targeting-Japanese-speakers.txt


    Tags

    MalwarePhishingJapanese speakersAmazonAppleJapan AirlinesJapan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.