The Snifula trojan is targeting more than 30 financial groups in Japan, including 12 regional banks, according to security firm Symantec.
Hackers are now using the malware to conduct man in the browser attacks to steal financial data from smaller companies' customers, in a broadening of the virus' range.
Symantec said: "As of July 2014, our telemetry shows that Japan is still ranked third and makes up almost 20% in terms of Trojan.Snifula activities.
"Considering our research, it seems that attackers are not about to quit targeting Japanese online banking customers."
A configuration file found by Symantec revealed 20 credit card sites and 17 online banking sites in Japan being targeted.
More than half of the targeted banks were said to be in the bottom half of the list comparing total deposit balances from customers.
"This clearly shows that the targeted banks are picked regardless of the institution's size," Symantec said.
The UK still accounts for a quarter of Snifula activity, with Germany responsible for a fifth while the US handles 15%.