APT-C-60 Targets Japan: New SpyGlace Malware Uses VHDX LNK and GitHub Tasking for Persistent Espionage

The JPCERT/CC Incident Response Group, led by malware analyst Yuma, has published a detailed report on a renewed wave of APT-C-60 cyber-espionage activity targeting Japanese organizations between June and August 2025. The campaign, which continues the threat actor’s long-standing abuse of legitimate cloud services, introduces new downloader variants and an evolved version of the SpyGlace malware.

According to the JPCERT/CC report, “The attacks confirmed by JPCERT/CC were targeted spear-phishing emails sent to recruitment staff, in which the attackers impersonated job seekers.” This latest campaign mirrors the group’s previous operations from 2024, though with significant technical upgrades in payload delivery and communication channels.

Attackers continue to rely on spear-phishing emails designed to deceive HR or recruitment departments. The messages impersonate legitimate job seekers and contain a malicious VHDX disk image.

“In the previous attacks, victims were directed to download a VHDX file from Google Drive. However, in the latest attacks, the malicious VHDX file was directly attached to the email.”

Once opened, the VHDX file contains a Windows shortcut (LNK) that triggers the execution of Git’s legitimate binary (gcmd.exe), which in turn runs an obfuscated script called glog.txt.

“The script executed by Git is responsible for displaying a decoy document, creating files, and executing those files.”

This multi-layered approach—using legitimate binaries—helps the attackers evade traditional endpoint detection.

JPCERT/CC’s telemetry shows that the attackers have refined their downloader stage malware (Downloader1 and Downloader2) to enhance victim tracking and persistence.

“Downloader1 periodically communicates with a legitimate statistics service called statcounter… identifying compromised machines by their volume serial number and computer name.”

The malware constructs a unique URL pattern to fetch additional payloads from GitHub:

https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber + ComputerName].txt

“The attackers check the referrer value sent to StatCounter and then upload a file named ‘[VolumeSerialNumber + ComputerName].txt’ corresponding to the infected device to GitHub.”

These .txt files act as tasking instructions, directing infected machines to download further payloads or adjust operational parameters, including communication frequency.

For instance, command “1*” increases the beaconing interval from 1 hour to 6 hours, indicating a deliberate strategy to reduce detection by behaving less suspiciously.

The SpyGlace malware, long associated with APT-C-60, has received multiple updates since its previous version (3.1.6). JPCERT/CC has now identified three new versions—3.1.12, 3.1.13, and 3.1.14—with notable changes in functionality and persistence methods.

“Compared with Version 3.1.6, the previously implemented commands ‘prockill’ and ‘proclist’ have been modified to perform no action. JPCERT/CC also confirmed a new command, ‘uld,’ has been added.”

The new uld command allows the malware to execute a specific function from a module and unload it after two seconds, possibly to minimize forensic footprints.

SpyGlace also now employs new persistence paths:

“From version 3.1.14, the automatic execution path has also changed from %public%\AccountPictures\Default\ to %appdata%\Microsoft\SystemCertificates\My\CPLs.”

JPCERT/CC’s analysis also revealed that the screenshot capture module has been refactored to use a hidden file named Clouds.db under %LocalAppData%\Microsoft\Windows\Clouds\, with an export function mssc1 — likely a new anti-analysis measure.

SpyGlace exhibits increasingly sophisticated encryption techniques in both its payload encoding and command-and-control (C2) traffic.

“SpyGlace’s characteristic encoding scheme combines a single-byte XOR with a SUB instruction. This is heavily used for strings the malware employs and for resolving dynamic APIs.”

When downloading secondary payloads, the malware uses AES-128-CBC encryption with hardcoded keys:

• KEY: B0747C82C23359D1342B47A669796989
  IV: 21A44712685A8BA42985783B67883999

For network communications, SpyGlace uses BASE64 and a custom RC4 variant.

“SpyGlace communicates with its C2 servers using BASE64 and RC4. The modified RC4 increases the number of KSA cycles and performs additions to the value that is to be XORed.”

The C2 payloads include the string “GOLDBAR”, which JPCERT/CC believes may indicate the campaign’s targeted region (Japan or East Asia).

“The ‘a001’ value contains the userid ‘GOLDBAR,’ the same string reported by Positive Technologies and observed in previous attacks against Japan.”

The lure content used in these campaigns remains highly contextual and regionally tailored. Interestingly, the Gmail address used in the phishing emails partially matched the fake researcher’s name—a common hallmark of APT-C-60’s attention to social authenticity.

One of the most concerning elements of this campaign is the use of GitHub as a delivery and command channel. Since GitHub repositories are publicly accessible, many of the payloads remain retrievable even after initial campaigns end.

Analysis of the commit logs revealed timestamps, email addresses, and unique device identifiers from compromised hosts — evidence of the attackers’ systematic and traceable development workflow.

Related Posts:

• APT-C-60 Exploits Legitimate Services in Sophisticated Malware Attack Targeting Japanese Organizations
• ESET Uncovers Zero-Day Vulnerabilities in WPS Office, Exploited by APT-C-60
• DarkGate and PikaBot: New Malware Threats Emerge from Advanced Phishing Campaign
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• CrossC2 and ReadNimeLoader: Inside the Multi-Stage Intrusions Targeting Linux and Windows Environments