SpyGlace Campaign Abuses Trusted Developer Services to Evade Detection
APT-C-60's latest SpyGlace campaign leverages legitimate developer platforms like GitHub and GitLab, combined with a chain of trusted Windows tools, to deliver malware and evade network defenses.

The advanced persistent threat group APT-C-60 has resurfaced with a new iteration of its SpyGlace malware campaign, employing sophisticated techniques to bypass network detection mechanisms. This latest operation, observed by researchers at JPCERT/CC, focuses on abusing trusted developer services and legitimate system tools to mask malicious activities. Spear-phishing emails serve as the initial vector, directing victims to archives containing malicious LNK (shortcut) files. These files, when opened, initiate a complex chain of execution involving common Windows utilities and popular development platforms.
The infection chain begins with a user opening a booby-trapped archive, often delivered via a link to cloud storage services like Proton Drive or as a direct email attachment. Inside, a malicious LNK file is present. Upon execution, this shortcut copies itself and launches mshta.exe, a legitimate Windows HTML Application host, to run embedded JavaScript code. This initial script is responsible for downloading and decoding a file disguised as contributing1.txt, which in turn contains further malicious instructions.
The downloaded script then leverages a legitimate copy of git.exe, a widely used version control system tool, to execute another script. This script is crucial for reconstructing a downloader from fragmented .db files. The reconstructed downloader is then used to fetch additional downloader and loader components before finally deploying the SpyGlace malware. This multi-stage process allows the attackers to modify components without altering the initial lure, providing flexibility and resilience.
A key characteristic of this campaign is the abuse of trusted online services for command-and-control (C2) and malware distribution. APT-C-60 has expanded its infrastructure to include GitHub, GitLab, jsDelivr, and Codeberg, in addition to previously used platforms like GitHub and Bitbucket. These services are commonly used by developers for code hosting and collaboration, meaning their traffic often blends seamlessly with legitimate business operations, making it difficult for security systems to distinguish malicious activity from normal network behavior.
JPCERT/CC observed SpyGlace versions 3.1.15, 3.1.17, and 3.1.18, noting that these versions did not introduce significant functional changes compared to earlier samples. The primary evolution lies in the delivery method and the infrastructure used, highlighting the attackers' adaptability. The campaign underscores the importance of behavioral analysis over simple signature-based detection. Security teams must correlate user actions, such as opening unexpected archives, with subsequent suspicious process executions like mshta.exe and unusual git.exe activity, especially when originating from temporary or extracted directories.
Defenders are urged to adopt a defense-in-depth strategy that combines user awareness training with robust endpoint, network, and email security controls. Phishing defenses remain paramount, as the initial email is the gateway. Organizations should flag unexpected archives and shortcut files, and endpoint monitoring should alert on suspicious process chains. Network monitoring should scrutinize traffic to code-hosting and content-delivery services, contextualizing it with the originating device and process. This behavior-centric approach is vital for detecting such stealthy campaigns.
The campaign's reliance on legitimate tools and services demonstrates a trend where threat actors are refining existing techniques rather than relying on novel exploits. This approach makes attribution and detection more challenging. While Indicators of Compromise (IoCs) such as IP addresses, URLs, and repository details are provided, defenders should not solely rely on them, as attackers can quickly rotate infrastructure. A proactive, behavior-based security posture is essential to counter evolving threats like SpyGlace.