APT-C-60 intensified operations against Japanese organizations in Q3 2025, deploying SpyGlace backdoor versions 3.1.12–3.1.14 with refined delivery (direct VHDX attachments), enhanced evasion, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy payload distribution. #APT-C-60 #SpyGlace #GitHub #StatCounter
Keypoints
- APT-C-60 targeted Japanese HR personnel using job-application lures with VHDX attachments that mount and execute LNK shortcuts to launch Git and a malicious script, initiating infection.
- Three SpyGlace versions (3.1.12, 3.1.13, 3.1.14) were deployed between June and July 2025, each with minor functional and persistence changes (distinct mutexes and autorun paths).
- Downloader components use COM hijacking for persistence via specific HKCU CLSID registry keys and leverage legitimate tools (gcmd.exe/Git) to evade application control.
- Victim tracking is implemented through StatCounter Referer headers containing unique identifiers (VolumeSerialNumber + ComputerName) and selective payload delivery via GitHub raw URLs named per victim.
- SpyGlace and its downloaders use custom obfuscation and encryption: XOR keys, AES-128-CBC with hardcoded KEY/IV, and a modified RC4 variant (triple KSA cycles and altered PRGA) for C2 communications and payloads.
- New SpyGlace features include an “uld” (unload) command for modular components and modified “screenupload” behavior pointing to %LocalAppData%MicrosoftWindowsCloudsClouds.db, suggesting screenshot exfiltration.
- Defense recommendations emphasize blocking sandboxing/mountable disk attachments, monitoring LNK→Git execution, watching COM hijack registry keys and StatCounter Referer anomalies, and threat-hunting GitHub access for victim-specific filenames.
MITRE Techniques
- [T1204] User Execution – PHISHING LURES: HR personnel open VHDX attachments and click embedded LNK shortcuts to execute malicious scripts via Git (“…job application emails containing VHDX virtual hard disk files… click the embedded LNK shortcut, the legitimate Git command-line tool (gcmd.exe) executes a malicious script (glog.txt)…”).
- [T1218] Signed Binary Proxy Execution: Msiexec or Other Signed Binary Proxy Execution – LIVING-OFF-THE-LAND (Git used for execution) – attackers leveraged the legitimate Git command-line tool (gcmd.exe) to run malicious scripts and bypass application control (“…leveraging Git—a widely trusted developer tool—the malware achieves execution without triggering application control policies…”).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – COM Hijacking Persistence – initial downloader registers under HKCUSoftwareClassesCLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}InProcServer32 to persist across reboots (“…achieves persistence through COM hijacking by registering itself under the Windows Registry key HKCUSoftwareClassesCLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}InProcServer32…”).
- [T1071.001] Application Layer Protocol: Web Protocols – Use of StatCounter for command-and-control and victim tracking via crafted HTTP Referer headers (“…periodically contacts StatCounter, a legitimate web analytics service, with specially crafted HTTP Referer headers containing victim identification data…”).
- [T1105] Ingress Tool Transfer – GitHub Raw Payload Distribution – attacker-hosted GitHub raw URLs deliver victim-specific payloads and commands (“…they upload victim-specific payloads to GitHub repositories… https://raw.githubusercontent.com/carolab989/class2025/… [VolumeSerialNumber + ComputerName].txt”).
- [T1041] Exfiltration Over C2 Channel – Encrypted C2 Traffic using custom RC4 and BASE64 – SpyGlace beacons include BASE64-wrapped CustomRC4 payload fields containing system information (“…a004=[BASE64(CustomRC4([ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]))]…”).
- [T1027] Obfuscated Files or Information – Custom Encoding and API Obfuscation – modified API name hashing (add 0x04 then XOR 0x05), single-byte XOR/SUB string obfuscation, and custom RC4/KSA changes impede analysis (“…modified API obfuscation techniques… adds 0x04 to API name hashes before XORing with 0x05… custom encoding combining single-byte XOR with SUB instructions…”).
- [T1056] Input Capture – Screen Capture – modified screenupload command loads module from %LocalAppData%MicrosoftWindowsCloudsClouds.db and executes export “mssc1”, suggesting screenshot capture (“…screenupload command… loading a module from %LocalAppData%MicrosoftWindowsCloudsClouds.db and executing an export function named ‘mssc1’…”).
Indicators of Compromise
- [File Name ] initial downloader and artifacts – WebClassUser.dat, Downloader1/WebClassUser.dat; %temp%wcts66889.tmp for decrypted downloads.
- [Registry Keys ] COM hijack persistence – HKCUSoftwareClassesCLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}InProcServer32, {64B8F404-A4AE-11D1-B7B6-00C04FB926AF} used by SpyGlace.
- [Mutex ] version-specific mutexes – K31610KIO9834PG79A90B (3.1.12), K31610KIO9834PG79AD7B (3.1.13), K31610KIO9834PG79A44A (3.1.14).
- [Domains/URLs ] GitHub raw payload locations – https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber+ComputerName].txt (used for victim-specific commands and payload delivery).
- [Referer Pattern ] StatCounter tracking headers – Referer containing “ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName]” used to identify infected hosts.
- [Crypto Keys ] AES-128-CBC hardcoded keys for payloads – KEY: B0747C82C23359D1342B47A669796989, IV: 21A44712685A8BA42985783B67883999.
- [Sample Paths ] persistence and module paths – %LocalAppData%MicrosoftWindowsWebClassUser.dat, %LocalAppData%MicrosoftWindowsWebCacheWebCacheR.tmp.dat, %LocalAppData%MicrosoftWindowsCloudsClouds.db.