Mule Flood in Japan

Money mule recruitment emails are nothing new, for years these have been spammed out all over the globe. What is new though is the recent wave aimed at “English-speaking Japanese residents”. It started at the end of July and we have received hundreds of such themed spam emails since then.

The content typically promises an easy job, just requiring some hours per week with very few other requirements.


Probably this spam wave has not been too successful. One explanation lies in the fact that many Japanese people I know will simply trash English emails IF they are not commonly working with them. Also, as in our case, most of these emails are filtered and placed in the trashcan by security software already. Another reason may be that Japanese who indeed speak English are also smart enough to smell something phishy here.

And speaking of phishy … actually phishing and money mules are closely related. The phishers steal login information for online banking accounts and that’s it. The gathered information is then sold to the next team of criminals, the money mule recruiters. Their job is to “cash out” the stolen accounts.

What happened near the end of August was the first _ever_(?) appearance of money mule recruitment emails in the Japanese language. In the email, a person named “Martin” explains briefly about this new job opening with rewards of ~600.000 Yen. All the emails of this kind came from addresses like “”.



We took the opportunity to reply to some of them (“Please tell me more …”) in order to observe what would happen.

It didn’t take too long until we got replies – an email from a “Martin” as well, but from a totally different email address of a “consulting” company supposedly based in Sweden. From the email headers we concluded that the two servers used to send emails are located in Russia. One of the domains is registered to (what looks like) a person in Italy, the other one in the US.



Now the content was even bilingual and the attached data contained a “Contrakt” (sic) and some other papers explaining how this whole project is supposed to work. Next we created some nonsense questions for a reply which led to some email Ping-Pong, enabling us to collect more details of the sender(s). This “employer” advised us to create a new bank account (“Preferences: Resonabank, Sevenbank,Shinseibank …”) and included another attachment for filling in our bank information.

And this is as far as we could go because the next step would have been to receive (stolen) money to that account with the final purpose of forwarding about 90% of the received money via wire transfer and keeping the remaining sum as our fee.

We can only advise everyone to ignore approaches of this kind; being a money mule is not fun, but a very serious crime and a quick ticket to the police station.

Mule Flood in Japan

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox