Update on Attacks by Threat Group APT-C-60 in 2026 – JPCERT/CC Eyes

Update on Attacks by Threat Group APT-C-60 in 2026 – JPCERT/CC Eyes
APT-C-60 continued targeting organizations in Japan in 2026, using spear-phishing with Proton Drive, RAR archives containing LNK files, and mshta.exe to launch JavaScript that led to SpyGlace deployment. The campaign abused GitHub, GitLab, jsDelivr, and Codeberg as infrastructure, and the report lists C2 servers, URLs, file hashes, and sender addresses tied to the activity. #APT-C-60 #SpyGlace #ProtonDrive #GitHub #GitLab #jsDelivr #Codeberg

Keypoints

  • APT-C-60 activity against organizations in Japan continued into 2026, with JPCERT/CC observing similar attacks.
  • Initial access used spear-phishing emails that lured victims to download a RAR file from Proton Drive, or attached the malicious file directly.
  • The RAR archive contained an LNK file; opening it triggered the infection chain.
  • The LNK file used mshta.exe to run embedded JavaScript, which downloaded and decoded additional content and then executed scripts with git.exe.
  • The downloader abused legitimate services including GitHub, GitLab, jsDelivr, and Codeberg as attack infrastructure.
  • The final payload delivered was SpyGlace, with observed versions v3.1.15, v3.1.17, and v3.1.18.
  • The appendix includes C2 IPs, service URLs, SHA-256 file hashes, phishing sender addresses, repositories, and victim system identifiers.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Victims were enticed through phishing emails containing a Proton Drive link to retrieve the malicious archive (‘the spear-phishing email contained a Proton Drive link’).
  • [T1566.001] Spearphishing Attachment – A similar case used a malicious file attached directly to the email (‘the malicious file was attached directly to the email’).
  • [T1204.002] Malicious File – LNK execution – The victim had to open an LNK file from the extracted archive to start the infection (‘Once the victim opens the LNK file, the subsequent infection process is executed’).
  • [T1059.007] JavaScript – The LNK file launched embedded JavaScript to continue the attack (‘uses mshta.exe to execute JavaScript embedded within the LNK file’).
  • [T1218.005] Mshta – The attackers used a signed Windows utility to execute the embedded script (‘uses mshta.exe to execute JavaScript’).
  • [T1105] Ingress Tool Transfer – The script downloaded payload-related files from jsDelivr and other legitimate services (‘Downloads the file contributing[1].txt from jsDelivr’).
  • [T1027] Obfuscated Files or Information – The embedded JavaScript was obfuscated to hinder analysis (‘Although the JavaScript code embedded in the LNK file is obfuscated’).
  • [T1059.003] Windows Command Shell – Script execution through legitimate tooling and downloaded scripts was used to carry out the next stage (‘uses the legitimate git.exe … to execute a script in the same folder’).
  • [T1106] Native API / Windows Command and Scripting Interpreter Execution – Legitimate Windows functionality was used to execute follow-on payloads (‘use a legitimate Windows program while carrying out processes’).
  • [T1588.002] Tool – The threat actor leveraged legitimate developer services and CDN platforms as infrastructure (‘GitHub, GitLab, jsDelivr, and Codeberg… abused as attack infrastructure’).

Indicators of Compromise

  • [IP addresses] SpyGlace C2 infrastructure – 31.58.136[.]207, 154.18.239[.]209, and other 5 items
  • [URLs] Legitimate services abused for download/distribution – https[:]//c.statcounter[.]com/13178005/0/7f3c2735/1/, https[:]//cdn.jsdelivr[.]net/gh/mei1990789/class125/
  • [File hashes – SHA256] IoC files for downloader, loader, JS, LNK, and SpyGlace components – 48bb091e0cab562fe094e0ef6a77b434dba97380c09a707220cbd9ca37999484, 5e97848bebf521766910d9c8378e98bf7aa1ce4b06aeb6c3f86c31ababbe9663, and other many hashes
  • [File names] Malicious and related components – RAR File具体的内容.rar, desk.lnk, iconcache.dat, call1.js, and other N items
  • [Email addresses] Spear-phishing senders and commit accounts – [email protected], [email protected], and other N items
  • [Domains / repositories] Attacker management repositories and service locations – github[.]com/mei1990789/class125, gitlab[.]com/sapphire689/dnaluakxit, and codeberg[.]org/ochi_ma992/3tv9239irfn83
  • [Host identifiers] Victimized devices identified from repositories – DESKTOP-CJU6TU7, 2024NOTEBOOK, and other 22 items


Read more: https://blogs.jpcert.or.jp/en/2026/07/apt-c-60_2026.html