JSAC2026 -Day 2-
Continuing from the previous report, this second installment introduces the presentations delivered during the Day 2 Main Track.
Following the Trace: Reconstructing Attacks from Ext4 and XFS Journals
Speaker: Minoru Kobayashi, Internet Initiative Japan Inc.
Presentation Materials (English)
Minoru Kobayashi presented an approach for inferring file operations and reconstructing them as a timeline based on the journal structures and analysis methods of the ext4 and XFS file systems. Through a demonstration of the journal analysis tool “FJTA (Forensic Journal Timeline Analyzer),” developed for this purpose, the presentation highlighted the effectiveness of journal analysis in complementing conventional timeline analysis, even in situations where timestamps cannot be considered reliable.
At the outset, the limitations of traditional timeline analysis in digital forensics were discussed. Specifically, MACB timestamps represent only a snapshot at the time of disk acquisition and, by design, cannot reflect multiple historical operations or manipulations such as timestomping. As a new approach to address this challenge, the motivation for focusing on the journal mechanisms of ext4 and XFS, which are widely used in Linux environments, was explained.
The presentation then provided an overview of the structures and analysis methods of ext4 and XFS journals, demonstrating how metadata modification records stored on a per-transaction basis can be used to infer operations such as file creation and deletion, and to reconstruct them chronologically. Although the specifications of these file systems are publicly available, no open-source tools currently exist that can practically analyze both file systems and visualize the results in timeline form. It was also noted as a challenge that existing tools such as The Sleuth Kit only provide data enumeration.
Through a demonstration of FJTA, it was shown that file activities can be detected from journal data, enabling the visualization of attack traces that would not be visible through conventional timeline analysis. The presentation also addressed practical application examples in real attack scenarios, as well as the limitations of anti-forensic techniques.
In conclusion, it was emphasized that file system journals constitute highly reliable forensic artifacts that are difficult to tamper with. For incident response, it was recommended that journal data should be collected as a priority after acquiring a memory image. The speaker emphasized the importance of prioritizing journal acquisition over block device analysis and standard file collection.
Unmasking the CoGUI Phishing Kit, the Major Chinese Phishing-as-a-Service Targeting Japan
Speaker: TeamDonut Shadow Liu, Lime Chen, Albert Song
Presentation Materials (English)
Shadow Liu, Lime Chen, and Albert Song presented an analysis of the phishing campaign “CoGUI,” which targets numerous Japanese brands in the financial, transportation, and government service sectors, as well as of the China-based Phishing-as-a-Service (PhaaS) platform “FishingMaster (垂钓大师)” behind its operations.
The session began with an overview of the current state of large-scale phishing attacks targeting Japan and demonstrated that CoGUI is operated through FishingMaster. Because the platform has promoted and distributed its services through closed channels, its operations had long remained largely unknown. By comparing its evolution from the first-generation platform to its successor systems, and through web scanner data analysis, monitoring of underground communities, and technical investigation, the speakers systematically uncovered the infrastructure configuration and operational ecosystem supporting CoGUI.
It was further explained that, following media coverage in 2025, the operators temporarily suspended their activities but later resumed operations under rebranded names such as NX and FA. In doing so, they enhanced operational security by further concealing infrastructure, encrypting communications, and strengthening detection evasion capabilities.
The presentation also shared findings related to attribution and behavioral patterns observed in underground markets, examining the group’s business model and risk management strategies.
In conclusion, it was noted that the operators tend to scale down activities rapidly in response to legal pressure or law enforcement actions, suggesting that psychological pressure could be a point of weakness. For defenders, the importance of identifying characteristic URL and API patterns, tracking related infrastructure, and conducting proactive threat hunting was emphasized.
The Mechanism for Building a Phishing Admin Panel
Speaker: Masaomi Masumoto, NTT DOCOMO BUSINESS, Inc.
Presentation Materials (English)
Masaomi Masumoto presented the methods for building phishing admin panels and their functionalities, against the backdrop of the growing prevalence of Phishing-as-a-Service (PhaaS).
The session began by explaining how the widespread adoption of PhaaS has lowered the technical barriers to conducting phishing attacks and improved the efficiency of phishing operations, leading to the emergence of phishing admin panels. In recent implementations, these panels allow operators to create and configure phishing sites, manage stolen information, configure cloaking settings, manage domains, and even bypass one-time passwords.
The presentation then outlined the construction methods and technical mechanisms of phishing admin panels, highlighting that they are designed for rapid deployment and removal through the use of Docker and automated installation scripts. A notable characteristic of such attack infrastructure is that immediacy and efficiency are prioritized over persistence. It was also explained that analyzing the deployment tools can provide insight into the underlying infrastructure used by the operators.
Furthermore, through case studies such as “CoGUI” and “Oriental Gudgeon,” the presentation analyzed the dependent domains and URL structures, demonstrating that PhaaS infrastructure relies heavily on a limited set of specific URLs or domains. Given this high level of dependency, it was pointed out that blocking those particular URLs or domains could potentially disrupt the operation of the service as a whole.
In conclusion, it was emphasized that effective phishing countermeasures require addressing not only individual phishing sites but also identifying and taking down the admin panels themselves. As a first step toward this objective, the speaker emphasized the need to understand the mechanisms and construction methods of phishing admin panels.
Combatting residential proxy services in Japan: Part II
Speaker: Yuji Ino, Recruit Co., Ltd.; Paul Ziegler, Reflare, Ltd.
In his presentation at JSAC2022 “The Struggle Against Domestic Malicious Proxy Services”, Yuji Ino collected and analyzed the exit IP addresses used by 911, which was the largest provider at the time, over a one-year period. The session explained the detection of residential IP proxies that leveraged consumer Internet connections, as well as the challenges of IP address–based reputation assessment.
In this presentation, together with Paul Ziegler, the speakers provided an update on three years of research conducted since JSAC2022. Based on continuous monitoring of domestic IP addresses, they discussed the latest trends in residential proxy services, their patterns of abuse, and related detection techniques. As the presentation contained a significant amount of information classified as TLP:RED, specific details are not disclosed.
A deep-dive into RapperBot C2 operation and DDoS attacks
Speaker: Hideyuki Furukawa, National Institute of Information and Communications Technology
Presentation Materials (English)
Hideyuki Furukawa provided an in-depth analysis of the IoT-focused DDoS botnet “RapperBot,” presenting findings on its C2 operations and DDoS attack activities, which had not previously been reported in detail.
The session began with an overview of RapperBot, explaining that it primarily targets DVRs and network cameras and propagates through multiple scanners. An ongoing investigation since 2022, including darknet monitoring and data collected through honeypots, confirmed a large number of infections in regions such as Taiwan, the United States, and Japan, and revealed the large-scale operation of its C2 servers.
The presentation then examined specific cases, including the correlation between RapperBot’s DDoS attack timing and intermittent service disruptions affecting X (formerly Twitter) in March 2025, as well as concentrated attacks against online game–related servers in China. In addition, analysis of the malware architecture, C2 protocol specifications, server rotation practices, and operational aspects of the user interface suggested that the C2 control panel may have been operated through macro-based automation or via a console interface. It also revealed instances of operational mistakes and inefficient configurations.
Furthermore, based on approximately five months of data collected prior to the operator’s arrest, the presentation organized details of the C2 operations, attack commands, and targeting trends. It was reported that the implementation of a blacklist function prevented repeat attacks, ultimately leading to the cessation of communications and the arrest of the operator.
In conclusion, the speaker emphasized the importance of understanding the operational realities of large-scale IoT botnets in order to accurately assess the threat landscape, and highlighted the need to reduce the number of vulnerable IoT devices as a fundamental measure.
Unraveling the WSUS Exploit Chain: Incident Analysis and Actor Insights
Speaker: Shohei Iwata; Teruki Yoshikawa, NTT Security Japan KK
Presentation Materials (English)
Shohei Iwata and Teruki Yoshikawa presented an in-depth analysis of an attack exploiting the WSUS RCE vulnerability (CVE-2025-59287). They shared how the investigation progressed toward identifying the initial point of compromise, describing a hypothesis-driven analysis informed by insights gained through daily intelligence collection, as well as attribution analysis based on TTP evidence, including the abuse of Velociraptor. The session provided a practical reference case for incident response and offered recommendations for reviewing defensive measures in light of evolving threat trends.
The presentation began with an overview of an attack targeting a Japanese company that was observed by a SOC in October 2025. In this incident, the intrusion began with the exploitation of the WSUS RCE vulnerability, and Velociraptor, a legitimate forensic/DFIR tool, was abused as an RMM tool. At the outset, there was no clear information regarding the infection vector, and the true initial point of compromise could not be readily determined based solely on EDR telemetry. However, by correlating multiple detected alerts with process tree analysis and network IoCs, the analysis reconstructed the deployment flow of Velociraptor via an MSI installer and concluded that this vulnerability was very likely used for initial access.
The presentation then detailed the attack flow and the tools employed. By identifying commonalities across Velociraptor configuration files, PKI structures, hosting server domains, MSI file names, and AWS account names, the speakers determined that the multiple incidents were linked to the same actor.
In conclusion, the speakers emphasized the importance of strengthening detection capabilities and reviewing configurations based on the lessons learned from this case, and shared practical insights applicable to incident analysis.
Continuous Intrusion/Continuous Distribution: Tracking Fox’s Iterative Malspam Campaign
Speaker: Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.
Presentation Materials (English)
Satoshi Kamekawa presented an analysis of a phishing campaign targeting Japanese organizations that was attributed to “Silver Fox” and observed between September and October 2025. Based on attack patterns classified into five distinct phases, the session examined the characteristics of the suspicious emails, findings from the analysis of the attack infrastructure, and technical findings from the observed malware samples.
The presentation began with an overview of the investigation into a large volume of phishing emails impersonating specific organizations and containing embedded URLs within the message body. When recipients clicked the malicious URLs, they were redirected through intermediary sites, leading to the download of a loader, which subsequently retrieved additional payloads in a multi-stage infection chain.
The session then detailed the infection flow and highlighted inconsistencies in the malware’s implementation, such as logic designed to detect Japanese language environments while failing to execute outside Chinese language environments, suggesting potential development or configuration contradictions.
Furthermore, it was explained that the threat actors continuously updated their tactics, including compiling malware and deploying it to C2 servers shortly before distributing phishing emails. The malware used in the campaign included ValleyRAT and VShell. While ValleyRAT had previously been reported primarily in attacks targeting organizations in China and Taiwan, cases involving Japanese organizations had been limited. In this campaign, however, Japan was also included among the targets, suggesting that the threat actors may be expanding the scope of their operations.
In conclusion, based on similarities in the malware used and overlaps with previously observed activities, the speaker stated that the campaign was likely linked to “Silver Fox.” The presentation emphasized the importance of strengthening monitoring of Japanese-language phishing emails, improving detection and blocking of anomalous communications, and conducting continuous threat analysis.
From Access to Encryption: Uncovering Qilin’s Attack Lifecycle
Speaker: Takahiro Takeda, Cisco Talos
Presentation Materials (English)
Takahiro Takeda presented an overview of ransomware trends in Japan, with a particular focus on the Qilin group. The session outlined the full attack lifecycle and the current state of initial access based on analysis of multiple incidents.
The presentation began by noting that the number of ransomware incidents in Japan increased in 2025, with small and medium-sized enterprises accounting for more than half of affected organizations. Among these cases, Qilin was associated with a notable share of domestic incidents, underscoring its significant presence among domestic cases.
It was further explained that Qilin has expanded its activities globally, including in the United States, Canada, China, and South Korea, and remains highly active, continuously publishing victim organizations on its leak site.
The session then examined the realities of Qilin’s initial access methods. Primary intrusion vectors included the abuse of leaked credentials obtained through encrypted messaging applications such as Telegram and Signal, marketplace forums, and initial access brokers. Once inside a network, the attack typically progressed through reconnaissance, lateral movement, credential theft, abuse of RMM tools, and ultimately data exfiltration and encryption.
Characteristic TTPs were also highlighted, including selective data exfiltration using a combination of legitimate and custom tools, encryption of entire virtual environments through automated scripts, clearly defined role separation within the group, and EDR evasion techniques.
In conclusion, given the short time between initial access and encryption, the importance of early detection before ransomware execution was emphasized. Recommended measures included comprehensive log collection, strict enforcement of MFA, implementation of offline backups, proactive configuration of security products, and strengthened detection through the use of Sigma and YARA rules. The speaker also cautioned that attacks are likely to continue and become increasingly automated.
Conclusion
This article introduced the presentations delivered on the second day of JSAC2026. In the next installment of JPCERT/CC Eyes, coverage will continue with highlights from the workshop, lightning talk session, and panel discussion.
Nanae Sasaki (This article was machine-translated and manually reviewed.)
