Update on Attacks by Threat Group APT-C-60

SUMMARY :

APT-C-60 continues to target Japan and East Asia with spear-phishing attacks impersonating job seekers. The attack flow has evolved, now directly attaching malicious VHDX files to emails. The malware, including Downloader1, Downloader2, and SpyGlace, has been updated with new features and communication methods. SpyGlace versions 3.1.12, 3.1.13, and 3.1.14 were observed, with changes in Mutex values and execution paths. The attackers use GitHub for payload distribution and employ sophisticated encoding and encryption techniques. The campaign abuses legitimate services and maintains consistent behavioral patterns despite infrastructure changes.

OPENCTI LABELS :

recruitment,github,rc4,com hijacking,spyglace,spear-phishing,east asia,vhdx,downloader1,downloader2


AI COMMENTARY :

1. In recent months, security researchers have observed a marked uptick in spear-phishing campaigns orchestrated by the Threat Group APT-C-60, prompting this comprehensive update on their evolving tactics and targets. The group’s focus remains squarely on organizations across Japan and East Asia, where it masquerades as job seekers to exploit recruitment-themed social engineering. By impersonating candidates seeking employment, APT-C-60 lures unsuspecting victims into opening malicious attachments and visiting compromised domains. This latest briefing synthesizes the changes in the attack flow, malware enhancements, and infrastructure shifts that define the current iteration of their operations.

2. The spear-phishing methodology has advanced beyond merely embedding macros in Office documents. APT-C-60 now directly attaches virtual hard disk files (VHDX) to emails, sidestepping traditional filters that flag macro content. Once the VHDX is mounted, it drops a multi-stage payload that initiates reconnaissance and sets the stage for secondary downloaders. This streamlined delivery mechanism minimizes user interaction and reduces the window for defenders to detect suspicious activity. Observers note that the shift to vhdx attachments underscores the group’s commitment to refining its entry vector.

3. Central to APT-C-60’s toolkit are Downloader1 and Downloader2, both of which have received notable upgrades. Downloader1 now features enhanced RC4-based decryption routines to unpack its components in memory, while Downloader2 leverages com hijacking techniques to achieve code execution under the guise of legitimate libraries. The group’s spyware framework, SpyGlace, has also seen rapid iteration. Versions 3.1.12 through 3.1.14 introduce new Mutex values, altered execution paths, and improved persistence mechanisms, allowing the malware to survive system reboots and evade common endpoint protections.

4. Infrastructure adaptation is a hallmark of this campaign. APT-C-60 has begun distributing payloads through repositories on GitHub, exploiting the platform’s trusted reputation and global content delivery network. Their use of legitimate services complicates takedown efforts and provides an opaque channel for payload updates. The malicious code employs sophisticated encoding and encryption layers, ensuring that network traffic blends in with normal corporate activity. Analysts also report instances of domain shadowing and com hijacking to maintain a stable command-and-control backbone despite constant remediation by defenders.

5. Geographically, the campaign remains concentrated in East Asia, with a primary emphasis on Japan’s critical infrastructure, technology firms, and government agencies. Attackers tailor lures to align with local recruitment practices and corporate cultures, increasing the likelihood of user engagement. Post-exploitation activity includes data exfiltration, credential harvesting, and the deployment of long-term espionage implants. The consistency of behavioral patterns across regional targets allows threat hunters to map indicators of compromise and anticipate future strikes.

6. As APT-C-60 continues to refine its recruitment-themed spear-phishing tactics, security teams must bolster email defenses and user awareness programs. Deploying robust sandboxing solutions capable of handling VHDX attachments, monitoring for anomalous RC4 decryption routines, and scrutinizing GitHub traffic are essential countermeasures. By understanding the group’s evolving malware variants—Downloader1, Downloader2, and SpyGlace—and their preferred abuse of legitimate services, organizations can harden their defenses against this persistent threat. Vigilance and timely threat intelligence sharing will be critical in mitigating the impact of APT-C-60’s next wave of operations.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Update on Attacks by Threat Group APT-C-60