CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Blue Termite APT Targets Japanese Organizations

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

Kaspersky Lab has analyzed the activities of Blue Termite, an advanced persistent threat (APT) group focusing its efforts on Japanese organizations.

According to the security firm, Blue Termite has been active since at least November 2013. The campaign not only focuses on Japan, but most of the command and control (C&C) servers it uses are located in the country.

Experts say hundreds of organizations have been targeted in this operation over the past two years, including government agencies, universities, public interest groups, financial services firms, banks, news companies, and various organizations from sectors such as automotive, chemical, healthcare, electrical, real estate, food, construction, insurance, transportation, robotics, semiconductors, and information services.

The group is also believed to be responsible for the recently disclosed breach suffered by the Japan Pension Service. The personal details of 1.25 million people were compromised in this attack.

Blue Termite is still active and the number of computers infected by the APT has increased considerably since July, when it started leveraging a Flash Player exploit leaked following the Hacking Team breach. Before the Flash Player exploit (CVE-2015-5119) was published, the cybergang leveraged spear-phishing emails to infect victims.

In July, Blue Termite planted the Hacking Team exploit on several compromised Japanese websites and started delivering its malware via drive-by-download attacks. This change in tactics led to a significant spike in infection rates.

In some cases, the attackers took steps to ensure that only the computers of certain users would get infected with their malware. One of the hacked sites used in the watering hole attacks belonged to a prominent member of the Japanese government. In another case, the group used a script to ensure that only users who visited the compromised website from the IP addresses of a certain Japanese organization would be served the malware.

Blue Termite has been leveraging customized malware of the Emdivi family to steal valuable data from victims. Trend Micro has also analyzed attacks involving Emdivi malware and the Hacking Team Flash Player exploit aimed at organizations in Japan (report from Trend Micro Japan).

Advertisement. Scroll to continue reading.

“One of the most interesting things about the malware used by the Blue Termite actor is that each victim is supplied with a unique malware sample that is made in a way that it could only be launched on a specific PC, targeted by the Blue Termite actor,” Kaspersky said.

As far as attribution is concerned, Kaspersky Lab has determined that the attackers are likely Chinese speakers.

Symantec has also been monitoring this threat group’s activities. In November 2014, the security firm published a report detailing a campaign dubbed “CloudyOmega.” At the time, the attackers had been leveraging a zero-day vulnerability in Ichitaro, a Japanese word processor made by JustSystems, to deliver Emdivi backdoors and other pieces of malware such as PlugX (also known as Korplug and Sogu) and Zxshell.

Symantec reported that the group behind the CloudyOmega attacks had communication channels with the Hidden Lynx gang and the actor behind the 2013 attacks dubbed “LadyBoyle.”

It’s unclear if they are related, but last month FireEye also observed attacks launched by a Chinese APT actor against Japanese organizations. The attackers used a different Hacking Team Flash Player exploit to infect users with a version of the PlugX RAT.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.