Latest Threats

APT-C-60 Spear-Phishing Campaign Deploying SpyGlace Spyware (v3.1.12-3.1.14) via VHDX/LNK and Git (gcmd.exe) LOLBin Abuse — Threadlinqs Intelligence

Threat ID: TL-2026-0777 · Severity: HIGH · Status: ACTIVE · Category: MALWARE

Attribution: APT-C-60 · South Korea · ESPIONAGE

APT-C-60, a South Korea-aligned espionage actor in the DarkHotel cluster, ran a June-August 2025 spear-phishing campaign against Japanese recruitment staff using job-seeker-themed emails with VHDX

JPCERT/CC (Yuma Masubuchi, published 2025-11-05) documents the continuation and evolution of APT-C-60 espionage activity against Japan observed between June and August 2025, targeting recruitment/HR staff with job-application lures. The intrusion chain begins with a spear-phishing email impersonating a job seeker that carries a malicious virtual hard disk image, "CV & Professional Experience.vhdx", directly as an attachment. When the victim mounts the VHDX and clicks the embedded shortcut "Resume.rtf.lnk", the LNK launches the legitimate, signed Git command binary gcmd.exe shipped inside the image (P:\LICENSES.LOG\mingw64\bin\gcmd.exe) and pipes the dropper script glog.txt into it: 'cd .\LICENSES.LOG\mingw64\bin && type glog.txt | gcmd.exe'. This Living-Off-the-Land abuse of a developer utility lets the actor proxy script execution through a trusted binary, bypassing many application-control and signature checks. The dropper displays a decoy document, writes follow-on artifacts, and launches WebClassUser.dat (Downloader1), which achieves persistence through Component Object Model (COM) hijacking by writing the InProcServer32 value under HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}. Downloader1 retrieves Downloader2 (WebCacheR.tmp.dat), which in turn pulls a loader (datapages.txt) and the SpyGlace payload (datautils.txt) staged on actor-controlled GitHub repositories. Stage payloads are protected with layered obfuscation: XOR (downloader keys 'sgznqhtgnghvmzxponum' and 'AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE'), a modified RC4 routine, Base64 encoding, and AES-128-CBC (KEY B0747C82C23359D1342B47A669796989 / IV 21A44712685A8BA42985783B67883999) for SpyGlace strings and C2 traffic. SpyGlace is a long-running APT-C-60 backdoor first surfaced by ThreatBook in 2022; the 2025 variants are versioned 3.1.12 (built 2025-06-27), 3.1.13 (2025-07-03) and 3.1.14 (2025-07-16). The 3.1.14 build moved its execution path from %public%\AccountPictures\Default\ to %appdata%\Microsoft\SystemCertificates\My\CPLs. SpyGlace exposes ~18 operator commands (cd, ddir, ddel, ld, uld, attach, detach, procspawn, diskinfo, download, downfree, cancel, screenupload, screenauto, upload; prockill/proclist disabled in these builds, uld added to unload modules), supporting file/directory enumeration, file collection, process spawning, disk reconnaissance, screen capture and C2 exfiltration. The actor fingerprints victims with the disk Volume Serial Number plus Computer Name, embedding this identifier into GitHub payload filenames and HTTP referer headers for unique device tracking; JPCERT identified ~12 compromised devices this way. Command-and-control uses an actor IP at 185.181.230.71 under path /wkdo9/ with rotating ASP endpoints (4b3ru.asp, t1802.asp, n3tb4.asp, 2qpmk.asp), with Statcounter (c.statcounter.com/13139439/0/1ba1a548/1/) abused as a legitimate-web-service dead-drop resolver and legacy Bitbucket (bitbucket.org/clouds999/glo29839/downloads/) retained from earlier campaigns. Attribution to APT-C-60 is supported by the embedded 'GOLDBAR' userid marker (MD5 in C2 traffic) consistent with prior operations, TTP overlap with August 2024 attacks (which exploited CVE-2024-7262 in WPS Office to deliver SpyGlace), and the broader assessment by Chuangyu 404 Lab and Positive Technologies that APT-C-60 and APT-Q-12 are sub-clusters of DarkHotel. This campaign uses no CVE; initial access is purely social engineering plus VHDX/LNK packaging and Git LOLBin abuse.

MITRE ATT&CK Techniques

T1566 Phishing: Spearphishing Attachment; T1204 User Execution: Malicious File; T1059 Command and Scripting Interpreter; T1218 System Binary Proxy Execution (Git gcmd.exe LOLBin); T1202 Indirect Command Execution; T1546 Event Triggered Execution: Component Object Model Hijacking; T1574 Hijack Execution Flow: DLL Side-Loading; T1036 Masquerading: Double File Extension; T1027 Obfuscated Files or Information; T1140 Deobfuscate/Decode Files or Information; T1480 Execution Guardrails: Environmental Keying (Volume Serial + Computer Name); T1564 Hide Artifacts (VHDX container mounting); T1082 System Information Discovery (diskinfo, volume serial); T1083 File and Directory Discovery; T1057 Process Discovery (proclist command); T1005 Data from Local System; T1113 Screen Capture (screenupload/screenauto); T1071 Application Layer Protocol: Web Protocols; T1102 Web Service: Dead Drop Resolver (Statcounter); T1102 Web Service: Bidirectional Communication (GitHub/Bitbucket); T1573 Encrypted Channel: Symmetric Cryptography (AES-128-CBC / RC4); T1132 Data Encoding: Standard Encoding (Base64); T1105 Ingress Tool Transfer (download/payload staging); T1041 Exfiltration Over C2 Channel

Target sectors: recruitment, human-resources, staffing, government, technology

Target regions: Japan, East Asia

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 40 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

MALWARE, HIGH, threat intelligence, cybersecurity, T1566, T1204, T1059, T1218, T1202, T1546, T1574, T1036, T1027, T1140

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison