APT-C-60 Returns: New SpyGlace Malware Hides in Fake Resume VHDX Attachments
The APT-C-60 group, previously linked to targeted attacks against Japanese organizations, continues to employ its signature methods—blending proven tactics with updated technical refinements. In recent months, experts from JPCERT have recorded a new wave of intrusions aimed specifically at human resources personnel. The attackers have once again turned to fake resumes, though this time the malicious attachments are delivered directly via email, bypassing third-party storage services altogether.
The phishing campaign is conducted under the guise of job applications. Each email contains an attached VHDX file, within which lies a concealed LNK shortcut. Once executed, it triggers a script leveraging the legitimate gcmd.exe binary from the Git toolkit. The script simultaneously displays a decoy document while deploying and executing an additional component, WebClassUser.dat—a first-stage loader stored in the system registry and launched via COM class hijacking.
The updated Downloader1 connects to the StatCounter website to transmit details about the infected host, including the volume serial number and computer name. These same identifiers are used as filenames for payloads retrieved from GitHub. The downloaded file contains configuration data and links for obtaining the next-stage component, Downloader2, which not only delivers payloads but can also execute remote commands—such as adjusting communication frequency or fetching DLL modules.
Downloader2 subsequently installs the SpyGlace spyware and its loader. All transmitted data is encrypted with XOR, and SpyGlace adds another layer of AES encryption with fixed keys and initialization vectors. The malware employs dynamic API resolution, utilizing a method based on arithmetic and bitwise operations. Researchers have identified three new versions—3.1.12, 3.1.13, and 3.1.14. The latest build introduces a new command, uld, which unloads the module after execution, as well as an altered autostart path.
Data exfiltration from infected systems occurs through a hybrid scheme combining BASE64 encoding and a modified RC4 algorithm. Each request embeds an MD5 hash of the string “GOLDBAR,” along with system metadata and an encrypted block containing unique device information—a signature previously observed in APT-C-60 attacks targeting Japan.
The lure document is a forged résumé listing scientific publications, though the listed authors’ names do not match the email sender. The résumé itself bears a name partially matching the Gmail address, suggesting that the account was created specifically for this operation.
GitHub’s role in the APT-C-60 infrastructure has grown increasingly prominent: the platform now hosts all malware variants and command files. Analysts were able to trace upload dates for the new SpyGlace versions and extract email addresses and infected host details from commit histories.
Despite migrating its operations from Bitbucket to GitHub and introducing incremental improvements to its malware components, APT-C-60’s overall modus operandi remains unchanged—a persistent focus on East Asian targets, the abuse of legitimate cloud services for delivery and control, and meticulous obfuscation. Experts advise maintaining heightened vigilance toward such campaigns, especially when handling email attachments and job application submissions.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
