JPCERT/CC has reported renewed attack activity by the APT-C-60 threat group between June and August 2025, targeting Japanese organizations through sophisticated spear-phishing emails.
As in the 2024 campaign, attackers disguised themselves as job seekers and sent messages to recruitment staff. However, unlike previous incidents where victims downloaded the malicious VHDX file via Google Drive, the latest campaign attaches the file directly within the email.
Inside the VHDX container, victims find shortcut (LNK) files and decoy resumes. Once clicked, the LNK executes a legitimate Git binary, gcmd.exe, to run a malicious script named glog.txt. The script creates and executes additional payloads while displaying a fake resume to maintain deception.
The primary downloader, WebClassUser.dat (Downloader1), is made persistent using COM hijacking, registered under the CLSID {566296fe-e0e8-475f-ba9c-a31ad31620b1}.
Updated Downloaders Using StatCounter and GitHub
Downloader1 gathers system data and communicates with the legitimate analytics service StatCounter, embedding the infected system’s volume serial number and computer name in the referrer field.
Based on this unique identifier, attackers upload corresponding payload instructions to GitHub under filenames mirroring the compromised system’s details. Downloader1 then retrieves the file, downloads Downloader2, and executes it.
The GitHub repository path used follows the structure:https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber+ComputerName].txt
Both Downloader1 and Downloader2 employ XOR-based decoding with keys such as sgznqhtgnghvmzxponum and AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE.
The malware can alter communication intervals or fetch new DLL payloads through command strings like “1*” (change interval) and “http*” (download DLL). This modular design allows remote configuration and stealthier operation.
SpyGlace Variants and Encryption Enhancements
The secondary payload, SpyGlace, has evolved into versions 3.1.12 through 3.1.14, featuring notable changes since version 3.1.6. Commands such as prockill and proclist are now disabled, while a new uld command has been introduced to dynamically execute and unload specific modules.
The malware’s screenshot feature was also modified to reference %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db with export function mssc1.
SpyGlace uses AES-128-CBC encryption (KEY: B0747C82C23359D1342B47A669796989; IV: 21A44712685A8BA42985783B67883999) for file storage and communicates with its C2 through Base64-encoded, modified RC4 encryption routines.
Notably, the RC4 variant includes additional key-scheduling loops and XOR manipulations, enhancing obfuscation and resistance against traffic analysis.
The governing Mutex values, paths, and GitHub upload timestamps indicate an organized campaign infrastructure. Figure logs from June July 2025 show consistent repository updates during the attack window.
While infrastructure has shifted from Bitbucket to GitHub, the core TTPs remain steady: exploitation of legitimate cloud platforms, COM hijacking persistence, and continuous refinement of SpyGlace components.
JPCERT/CC warns that these attacks maintain a heavy regional focus on Japan and East Asia, urging heightened monitoring of recruitment-related emails and cloud repository activity.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.png?resize=1068,580&ssl=1&description=APT-C-60 cyberattack - JPCERT/CC has reported renewed attack activity by the APT-C-60 threat group between June and August 2025, targeting.){kind=link}