APT-C-60 intensified operations against Japanese organizations during Q3 2025, deploying three updated SpyGlace backdoor versions with refined tracking mechanisms, modified encryption, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy malware distribution.
The South Korea-aligned cyber espionage group APT-C-60 continued its aggressive targeting of Japanese organizations throughout Q3 2025, deploying three updated versions of its SpyGlace backdoor with enhanced capabilities and improved evasion techniques.
JPCERT/CC’s latest analysis reveals that attacks between June and August employed refined delivery mechanisms, more sophisticated victim tracking methods, and modified encryption schemes designed to complicate detection and analysis.
Unlike previous campaigns that relied on Google Drive links, recent APT-C-60 operations delivered malicious VHDX files directly as email attachments, streamlining the infection process while maintaining the group’s characteristic job application lures targeting HR departments. The evolution of the SpyGlace malware demonstrates APT-C-60’s commitment to continuous operational refinement and adaptation to defensive countermeasures.
JPCERT/CC’s comprehensive technical analysis documents significant changes across the attack chain, from initial delivery through command-and-control infrastructure. The report identifies three distinct SpyGlace versions—3.1.12, 3.1.13, and 3.1.14—each incorporating incremental improvements to functionality, persistence mechanisms, and obfuscation techniques. The group’s exploitation of legitimate services, including GitHub, StatCounter, and Git for malware distribution, continues to pose significant detection challenges for traditional security controls.
Japan has emerged as a priority target for APT-C-60, with the group’s operations specifically crafted to compromise organizations through social engineering attacks against recruitment personnel. The deliberate focus on Japanese entities, combined with the technical sophistication evident in recent campaigns, positions APT-C-60 as one of the most persistent advanced persistent threat actors currently operating in the Asia-Pacific region.
From Cloud Links to Direct Attachments
APT-C-60’s Q3 2025 campaigns maintained the group’s established tradecraft of impersonating job seekers while introducing tactical modifications designed to accelerate infection timelines. Previous operations from August 2024 directed targets to download VHDX files from Google Drive, creating an additional step that provided potential detection opportunities. The shift to directly attaching malicious VHDX files to emails eliminated this intermediary stage, reducing the attack chain complexity and the likelihood of user abandonment before infection.
The attack sequence begins when HR personnel receive seemingly legitimate job application emails containing VHDX virtual hard disk files. When recipients mount these files and click the embedded LNK shortcut, the legitimate Git command-line tool (gcmd.exe) executes a malicious script (glog.txt) that simultaneously displays a decoy resume while installing the initial downloader component.
The technical execution demonstrates careful operational security planning. By leveraging Git—a widely trusted developer tool—the malware achieves execution without triggering application control policies that might block unknown executables. The initial payload (WebClassUser.dat, referred to as Downloader1) achieves persistence through COM hijacking by registering itself under the Windows Registry key HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32, ensuring the malware survives system reboots.
Enhanced Victim Tracking Through Legitimate Services
Downloader1’s communication strategy exemplifies APT-C-60’s sophisticated abuse of trusted infrastructure. The malware periodically contacts StatCounter, a legitimate web analytics service, with specially crafted HTTP Referer headers containing victim identification data. The updated tracking format combines volume serial numbers and computer names to uniquely identify compromised systems:
Referer: ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName]
This approach provides APT-C-60 operators with real-time victim telemetry while appearing as ordinary web analytics traffic to network monitoring tools. Once operators confirm a valuable target through StatCounter logs, they upload victim-specific payloads to GitHub repositories following a predictable naming convention:
https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/%5BVolumeSerialNumber + ComputerName].txt
The system allows selective payload delivery, with Downloader1 regularly checking GitHub for files matching the infected system’s unique identifier. This manual review process before delivering second-stage payloads suggests APT-C-60 prioritizes operational security over rapid mass compromise, carefully vetting targets before deploying their most sophisticated tools.
Notably, the victim-specific GitHub files don’t merely contain payload URLs—they function as remote control mechanisms supporting multiple commands. Operators can adjust StatCounter polling intervals from the default one hour to six hours using the “1*” command, presumably to reduce detection likelihood for high-value targets requiring more cautious handling. The “0” and “40” commands reset intervals to defaults, while strings beginning with “http” trigger DLL downloads and execution.
Downloaded payloads undergo XOR decryption using the key “sgznqhtgnghvmzxponum” before execution, maintaining consistency with previous APT-C-60 operations documented in 2024.
Downloader Architecture and API Obfuscation
Downloader2, retrieved and executed by the initial payload, serves as the delivery mechanism for SpyGlace itself and associated loader components. The updated version implements modified API obfuscation techniques, changing from previous encoding schemes to a new approach that adds 0x04 to API name hashes before XORing with 0x05. While seemingly minor, this modification breaks signatures and analysis tools tuned to previous versions, forcing defenders to update their detection logic.
The SpyGlace loader employs identical obfuscation techniques, creating consistency across the attack chain while complicating analysis. Downloader2 retrieves encrypted payloads from attacker-controlled infrastructure, decrypts them using the XOR key “AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE”, and establishes persistence through COM hijacking—mirroring the initial infection mechanism.
This layered approach creates multiple opportunities for defenders to intervene, yet the abuse of legitimate Windows features like COM objects and trusted tools like Git significantly reduces detection rates compared to traditional malware execution patterns.
SpyGlace 3.1.12-3.1.14: Refined Capabilities
JPCERT/CC identified three SpyGlace versions deployed during Q3 2025: 3.1.12, 3.1.13, and 3.1.14. Compared to version 3.1.6 documented in 2024, the updated variants disable the “prockkill” and “proclist” commands—likely removing functionality that proved unreliable or introduced detection risks—while adding a new “uld” (unload) command that loads a specified module, executes a designated function, waits two seconds, then unloads the module.
This unload capability suggests APT-C-60 is deploying modular components requiring specific initialization or cleanup routines, potentially including credential stealers or additional surveillance tools that must properly finalize operations before removal to avoid leaving forensic artifacts.
The “screenupload” command underwent significant modification, now loading a module from %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db and executing an export function named “mssc1”. While JPCERT/CC hasn’t recovered this module, the file path and command context strongly suggest screenshot capture functionality, consistent with SpyGlace’s espionage mission.
Version differences remain minimal across 3.1.12, 3.1.13, and 3.1.14, with each using distinct mutex values to prevent multiple infections: K31610KIO9834PG79A90B (3.1.12), K31610KIO9834PG79AD7B (3.1.13), and K31610KIO9834PG79A44A (3.1.14). More significantly, version 3.1.14 changed the autorun path from %public%\AccountPictures\Default\ to %appdata%\Microsoft\SystemCertificates\My\CPLs, potentially improving stealth by placing persistence files in locations less frequently examined by security tools.
A September 2025 report documented version 3.1.14 deployment in campaigns outside Japan, using different GitHub repositories and infrastructure. This indicates APT-C-60 is running parallel operations across multiple geographic regions with distinct targeting but shared tooling.
Custom Encryption and C2 Communication
SpyGlace’s obfuscation relies heavily on custom encoding combining single-byte XOR with SUB instructions, applied throughout the malware for string protection and dynamic API resolution. The approach effectively defeats simple string-based detection while remaining computationally inexpensive for the malware.
The “Download” command, which retrieves additional payloads or modules from C2 infrastructure, employs AES-128-CBC encryption with hardcoded keys:
KEY: B0747C82C23359D1342B47A669796989
IV: 21A44712685A8BA42985783B67883999
Downloaded files are decrypted and written to %temp%\wcts66889.tmp before execution, providing operators with flexible capability deployment without embedding all functionality in the initial implant.
C2 communication employs layered encoding: BASE64 wrapping custom RC4 encryption. Initial beacon requests use the format:
a001=[md5(“GOLDBAR”)]&a002=[md5(systeminfo)]&a003=[“uid” or “info”]&a004=[BASE64(CustomRC4([ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]))]
The “GOLDBAR” user identifier matches values documented in previous research and JPCERT/CC’s 2024 analysis of Japanese-targeted campaigns, suggesting this string serves as a campaign or target region designator rather than a victim identifier.
SpyGlace’s RC4 implementation incorporates multiple modifications from standard RC4. The Key Scheduling Algorithm (KSA) runs three full cycles instead of one, significantly altering the initial permutation state. During Pseudo-Random Generation Algorithm (PRGA) execution, keystream bytes are generated using modified formulas that incorporate bit shifts, XOR operations with constant 0xAA, and multiple S-box lookups, then combined through XOR with both original and modified keystream values.
JPCERT/CC provided a Python implementation demonstrating the decryption process, enabling defenders to decode captured C2 traffic and analyze payload functionality. The custom RC4 variant requires substantial reverse engineering effort to identify, making it unlikely that organizations would successfully decrypt SpyGlace communications without access to detailed analysis like JPCERT/CC’s report.
Fake Resumes and Researcher Personas
The decoy documents used in Q3 2025 attacks demonstrate APT-C-60’s commitment to believable social engineering. Fake resumes presented attackers as researchers with academic credentials and publication histories, listing multiple legitimate research papers—none of which actually included the purported applicant as an author.
This level of detail suggests APT-C-60 conducts reconnaissance on targeted organizations, crafting resumes that align with relevant research areas or industry sectors to increase credibility. The email sender names partially matched Gmail account names in the fake resumes, indicating attackers create purpose-built accounts for each campaign rather than reusing infrastructure across operations.
By impersonating job seekers with research backgrounds, APT-C-60 exploits the natural openness of HR personnel who routinely open attachments from unknown senders as part of their job function. This targeting represents a calculated assessment of organizational weak points—recruiting staff may have less security awareness than technical personnel while possessing network access sufficient for initial compromise.
GitHub Repository Analysis Reveals Operational Timeline
APT-C-60’s reliance on GitHub for payload distribution creates a valuable intelligence source. Unless repositories are deleted, defenders can access complete upload histories showing exactly when different malware versions were deployed. JPCERT/CC’s analysis of the carolab989/class2025 repository revealed:
Version 3.1.12: Uploaded June 27, 2025, at 14:33:28 JST
Version 3.1.13: Uploaded July 3, 2025, at 18:25:18 JST
Version 3.1.14: Uploaded July 16, 2025, at 15:03:52 JST
These timestamps indicate active development and rapid deployment cycles, with new versions released approximately weekly during the peak campaign period. The repository also contained multiple victim-specific configuration files following the [VolumeSerialNumber + ComputerName].txt naming convention, documenting at least 12 successful compromises across Japanese organizations.
Victim identifiers revealed in the repository include system names like “DESKTOP-BN9A2SA”, “DESKTOP-NKVAKV1”, and “DESKTOP-6LO36DE”, along with several entries JPCERT/CC redacted because they potentially contained personal names. The presence of these files confirms that APT-C-60 successfully deployed second-stage payloads to multiple victims during the Q3 campaign.
Email addresses associated with Git commits include a mix of providers and naming patterns, which suggests operational security practices designed to compartmentalize infrastructure and complicate attribution, though the documented connection to APT-C-60 renders this moot for defenders prioritizing threat detection over attribution.
APT-C-60 Operations in Broader Context
APT-C-60 has operated continuously since at least 2021, with SpyGlace malware first detected in June 2022. The group primarily targets organizations across East Asia, with documented campaigns against victims in China, Japan, South Korea, and Taiwan. Previous operations have exploited zero-day vulnerabilities, including CVE-2024-7262 in WPS Office, demonstrating access to advanced exploitation capabilities beyond the social engineering tactics used in recent Japanese campaigns.
Earlier research suggests APT-C-60 may operate as a sub-group within the DarkHotel threat cluster, sharing infrastructure, tools, and targeting with related groups, including APT-Q-12 (Pseudo Hunter). The use of VHDX virtual disk files to bypass Windows security controls represents a technique increasingly adopted by Asia-focused APT groups seeking to evade Mark of the Web protections introduced in recent Windows versions.
The group’s continuous evolution of SpyGlace through incremental version updates, combined with persistent targeting of similar victim profiles across multiple years, indicates a well-resourced operation with clear intelligence collection objectives. The focus on recruitment-related social engineering suggests interest in organizations’ personnel, research activities, or business operations rather than purely technical intelligence.
Implications for Japanese Organizations
APT-C-60’s sustained campaign against Japanese targets throughout 2024 and 2025 demonstrates that the threat shows no signs of diminishing. Organizations must recognize that HR departments represent high-value attack vectors requiring security controls equivalent to technical staff, despite traditionally receiving less security awareness training.
The abuse of legitimate services, including Git, GitHub, and StatCounte,r complicates detection, as security teams cannot simply block these platforms without impacting legitimate business operations. Organizations need behavioral analytics and anomaly detection capable of identifying unusual patterns in otherwise trusted traffic, such as Git executing from uncommon locations or StatCounter requests containing abnormal Referer headers.
The multi-stage infection process provides several potential interdiction points. Email security controls should flag or sandbox VHDX attachments, particularly from external senders claiming job applicant status. Endpoint detection should alert on LNK files spawning Git processes, especially when followed by Registry modifications associated with COM hijacking. Network monitoring should track GitHub access patterns to detect systematic queries for victim-specific filenames matching internal systems.
Defense Strategies Against APT-C-60 Tactics
Defending against APT-C-60 requires layered controls addressing each attack phase. Email security should implement strict filtering of executable file types, including VHDX, VHD, ISO, and other mountable disk formats that Windows automatically opens without Mark of the Web protections. Organizations can safely block these file types in inbound email without impacting legitimate operations.
Application control policies should prevent LNK files from executing system utilities like Git unless explicitly authorized, while endpoint detection rules should alert when COM hijacking Registry modifications occur outside software installation contexts. The specific Registry paths used for SpyGlace persistence—{566296fe-e0e8-475f-ba9c-a31ad31620b1} and {64B8F404-A4AE-11D1-B7B6-00C04FB926AF}—should be monitored continuously.
Network security teams should baseline GitHub access patterns and investigate systematic queries for text files matching potential victim identifier formats. StatCounter communications containing system information in Referer headers represent clear indicators of compromise requiring immediate investigation. Organizations should consider implementing network segmentation that prevents HR systems from directly accessing development tools and repositories absent legitimate business need.
HR departments require specialized security awareness training addressing job applicant social engineering. Training should emphasize that legitimate job seekers don’t send disk image files, that resume documents shouldn’t require mounting virtual drives, and that any technical complexity in opening an applicant’s materials warrants consultation with IT security before proceeding.
Regular threat hunting exercises specifically searching for APT-C-60 indicators can identify compromises missed by automated controls. Hunt teams should look for the characteristic file paths SpyGlace uses (%LocalAppData%\Microsoft\Windows\WebClassUser.dat, %LocalAppData%\Microsoft\Windows\WebCache\WebCacheR.tmp.dat), mutex values associated with different versions, and the custom RC4 encryption patterns in network traffic.
Conclusion
APT-C-60’s continuous refinement of SpyGlace throughout 2025 demonstrates the persistent nature of state-aligned cyber espionage operations targeting strategic intelligence in the Asia-Pacific region. The group’s willingness to invest in incremental capability improvements, combined with their systematic targeting of Japanese organizations through social engineering, positions them as a long-term threat requiring sustained defensive investment.
The technical sophistication evident in custom encryption implementations, multi-stage infection chains, and abuse of trusted infrastructure places APT-C-60 among the more capable APT groups currently operating in the region. Organizations must recognize that the combination of social engineering against non-technical staff and living-off-the-land techniques using legitimate tools creates detection challenges that traditional security controls may not adequately address.
Japanese organizations, particularly those with valuable intellectual property, strategic business information, or government connections, should consider themselves priority targets and implement defense-in-depth strategies specifically designed to counter APT-C-60 tactics. The availability of detailed technical analysis from JPCERT/CC provides actionable intelligence that organizations should immediately translate into updated detection rules, hunt procedures, and security awareness training.
Cyble’s threat intelligence platform provides real-time visibility into APT campaigns, including APT-C-60, with indicators of compromise, YARA rules, and behavioral detections updated as threats evolve.
Our attack surface management solutions identify exposures that APT groups exploit for initial access, while dark web monitoring detects stolen credentials and data leaks that often precede targeted attacks.
Organizations concerned about APT-C-60 or similar state-aligned threats can request a free external threat profile to understand their current risk posture and identify priority security improvements. For comprehensive intelligence on APT campaigns targeting your industry and region, contact Cyble’s threat intelligence team for a customized briefing.
AloJapan.com