The DragonOK advanced persistent threat (APT) group has been deploying Sysget, TidePool, and IsSpace malware against Japanese users in recent months. The malware are distributed through phishing emails containing malicious attachments, and Rich Text Format (RTF) documents that exploit a Microsoft Word vulnerability to drop malicious payloads. When the malicious documents are clicked on, decoy documents that masquerade as legitimate documents are opened to minimise suspicions.
The most targeted industries in Japan include manufacturing, higher education, energy, and technology. DragonOK is also likely seeking victims in Taiwan, Tibet, and Russia.