Infection flow after execution of the LNK file | Image: JPCERT/CC
At a glance
| Actor / group | APT-C-60 (threat group) |
| Activity | Spear-phishing, LNK loader, SpyGlace backdoor |
| Targets / victims | Organizations in Japan |
| Scale | Ongoing campaign; victim count not disclosed |
| Status | Public advisory; no arrests; no named individuals |
| Source | JPCERT/CC |
TL;DR
JPCERT/CC has detailed fresh APT-C-60 attacks against organizations in Japan. The group now abuses Proton Drive, LNK files, and several developer platforms. Its goal stays the same: deploy the SpyGlace backdoor.
What happened
The attack starts with a spear-phishing email. In one case, the email carried a Proton Drive link that led to a RAR archive. Inside sat a booby-trapped LNK file, next to decoy images and audio that made it look real. Once the victim opened the LNK, the infection began. JPCERT also saw the malicious file attached straight to an email.
The LNK file runs JavaScript through mshta.exe, a trusted Windows tool. That script pulls more files from a public CDN. It then decodes them and runs a legitimate git.exe to launch the next stage. This living-off-the-land style helps the attack blend into normal activity.
Who is behind it
JPCERT/CC attributes the activity to APT-C-60. The group has hit Japanese targets since at least 2024. This latest wave reuses its known git.exe and persistence tricks. SpyGlace has also been tied to APT-C-60 in earlier public reporting. JPCERT names the group, not any individual. Broader nation-state links remain an assessment by outside researchers.
Impact and scale
These APT-C-60 attacks aim to plant SpyGlace on victim machines. JPCERT observed SpyGlace versions v3.1.15 through v3.1.18. The core features matched earlier builds. SpyGlace acts as a backdoor, so operators can run commands and steal data. The bigger shift is the infrastructure. In 2026, the group added GitLab, jsDelivr, and Codeberg to its usual GitHub use.
That choice matters. JPCERT warns the attacks “abuse legitimate services and standard Windows functionality.” Because firms often allow developer platforms and CDNs, the traffic looks normal. As a result, blocking by destination alone rarely works.
How to stay protected
Treat cloud-storage links in unexpected emails with care. JPCERT advises users to “avoid opening cloud storage links in suspicious emails or LNK files.” Also flag LNK files that arrive inside RAR archives. Watch for mshta.exe and git.exe running from user folders. Correlate the full chain rather than single events. For the full technical detail and indicators, read JPCERT/CC’s report.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.