SpyGlace
SpyGlace is a backdoor malware family used in cyber-espionage campaigns attributed in the provided reporting to APT-C-60, with sustained activity against Japanese organizations observed from June through August 2025. It was delivered through spear-phishing emails impersonating job applicants and targeting recruitment or HR staff. In the documented infection chain, victims received a malicious VHDX attachment containing an LNK file; opening the shortcut executed a legitimate Git component (gcmd.exe) to run a malicious script, display a decoy document, and install staged downloader components. Downloader1 (including WebClassUser.dat) established persistence via COM hijacking at HKCU\Software\Classes\CLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32, beaconed to StatCounter using victim identifiers derived from the volume serial number and computer name, and retrieved victim-specific tasking from GitHub raw URLs such as raw.githubusercontent.com/carolab989/class2025/... . Downloader2 then fetched and executed SpyGlace and its loader, also using COM hijacking and XOR-decoded payload retrieval.
JPCERT/CC observed SpyGlace versions 3.1.12, 3.1.13, and 3.1.14. Reported changes versus earlier 3.1.6 samples included prockill and proclist being changed to no-ops, addition of a new uld command that calls a function in a loaded module and unloads it after two seconds, and a screenupload-related module path reference to %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db with export name mssc1. Version differences also included distinct mutexes and an autorun path change in 3.1.14 to %appdata%\Microsoft\SystemCertificates\My\CPLs. SpyGlace uses string and API obfuscation based on single-byte XOR and SUB operations, and its Download command decrypts files with AES-128-CBC using key B0747C82C23359D1342B47A669796989 and IV 21A44712685A8BA42985783B67883999, writing output to %temp%\wcts66889.tmp.
For command-and-control, SpyGlace communications were reported to use Base64 and a modified RC4 scheme. Initial request headers included values such as md5("GOLDBAR"), md5(system information), and encoded host data including computer name, user name, CPU info, OS version, and SpyGlace version. The string "GOLDBAR" was noted as a recurring marker in prior related reporting. The malware and associated campaigns abused legitimate services including StatCounter for victim tracking and GitHub for per-host tasking and payload staging, and earlier related reporting also referenced Bitbucket. High-confidence indicators mentioned in the content include filenames such as sp.dat, WebClassUser.dat, SecureBootUEFI.dat, Service.dat, cn.dat, and the C2 example IP 103.187.26.176.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Public reporting indicates the group exploited a remote code execution vulnerability in the Windows version of a productivity suite (CVE-2024-7262) to drop SpyGlace.
APT-C-60 ... orchestrating multi-stage campaigns to deploy the SpyGlace back-door... ultimately loading SpyGlace... executing sp.dat (SpyGlace) as the back-door.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"APT-C-60 Targets Japan: New SpyGlace Malware Uses VHDX LNK and GitHub Tasking for Persistent Espionage"
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique「求職者を装い組織の採用担当に宛てた標的型攻撃メール…今回の攻撃では悪性のVHDXファイルが直接添付ファイルとして送られていました。」
Execution
2 techniquesStealth
1 technique「取得したファイルは…XORデコード後に実行」「SpyGlaceは…BASE64とRC4…改変されたRC4」「AES128-CBCにて復号」
Discovery
1 technique「a002=[md5(systeminfo)]」「[ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]」
Lateral Movement
1 techniqueCollection
1 technique「screenupload Upload screenshot」「screenauto Upload screenshot automatically」
Command and Control
3 techniques「statcounter…に対して一定間隔で通信」「リクエストヘッダー…Referer: ONLINE=>…」「C2サーバーとの通信にBASE64とRC4を使用…リクエストヘッダーのフォーマット…」
「攻撃者はペイロードの配布にGitHubを使用…」「Downloader1はstatcounterという正規の統計サービスに対して一定間隔で通信」
「https://raw.githubusercontent.com/.../[VolumeSerialNumber + ComputerName].txt…その取得したファイルに記載されているURLを元に次のDownloader2のダウンロードおよび実行」
IOCs tracked for this family
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SpyGlace is spyware delivered via spear-phishing, used to exfiltrate sensitive information from targeted systems.
SpyGlace is spyware delivered via spear-phishing emails, used by APT-C-60 to target Japanese organizations. It is downloaded through malicious scripts executed from VHDX files.
SpyGlace is described as a new espionage-focused malware used for persistent spying, leveraging VHDX and LNK-based techniques and GitHub for tasking (command-and-control/task distribution).
Multi-stage espionage backdoor delivered via VHDX/LNK chain; establishes persistence via COM hijacking and communicates with C2 to receive commands, load plugins, exfiltrate files, and execute commands.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.