Downloader1
Downloader1 is an initial-stage downloader identified by JPCERT/CC in APT-C-60 campaigns observed in Japan from June through August 2025. It is the file WebClassUser.dat, which is created after a spearphishing infection chain in which attackers impersonate job applicants and send recruitment staff a malicious VHDX attachment. Opening an embedded LNK executes a legitimate Git component (gcmd.exe) to run a script that displays a decoy document, drops additional files, and installs Downloader1.
Downloader1 establishes persistence and execution through COM hijacking by registering an InProcServer32 value under HKCU\Software\Classes\CLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32. It periodically communicates with the legitimate analytics service StatCounter, using request headers including a Referer value derived from the victim’s volume serial number and computer name so operators can identify compromised hosts. It then constructs victim-specific GitHub raw URLs, including examples under raw.githubusercontent.com repositories such as carolab989/class2025, to retrieve a tasking file named [VolumeSerialNumber+ComputerName].txt.
That GitHub-hosted tasking file enables per-host control after the attacker observes the StatCounter beacon. Reported commands include changing or resetting the StatCounter beacon interval, instructing a DLL download, and directing retrieval of a second-stage downloader. Downloader1 XOR-decodes retrieved content using the key string "sgznqhtgnghvmzxponum" before execution. It is associated with staged delivery of Downloader2, which in turn downloads and executes SpyGlace and its loader.
High-confidence associated infrastructure and behaviors include abuse of legitimate services (StatCounter and GitHub), victim identification based on volume serial number plus computer name, and use in APT-C-60 operations targeting organizations in Japan via recruitment-themed spearphishing. A directly reported persistence IOC is the registry path HKCU\Software\Classes\CLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32, and a directly reported file artifact is WebClassUser.dat.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“The created WebClassUser.dat (hereafter referred to as “Downloader1”)… gets persisted and executed through COM hijacking.”
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique「求職者を装い組織の採用担当に宛てた標的型攻撃メール…今回の攻撃では悪性のVHDXファイルが直接添付ファイルとして送られていました。」
Execution
3 techniquesPersistence
2 techniquesPrivilege Escalation
1 techniqueStealth
2 techniquesDefense Impairment
1 techniqueDiscovery
1 technique「a002=[md5(systeminfo)]」「[ComputerName;UserName;CpuInfo;OS Version;SpyGlace Version]」
Command and Control
3 techniques「statcounter…に対して一定間隔で通信」「リクエストヘッダー…Referer: ONLINE=>…」「C2サーバーとの通信にBASE64とRC4を使用…リクエストヘッダーのフォーマット…」
「攻撃者はペイロードの配布にGitHubを使用…」「Downloader1はstatcounterという正規の統計サービスに対して一定間隔で通信」
「https://raw.githubusercontent.com/.../[VolumeSerialNumber + ComputerName].txt…その取得したファイルに記載されているURLを元に次のDownloader2のダウンロードおよび実行」
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
First-stage downloader/persistence component. Uses COM hijacking for persistence, periodically beacons to Statcounter with a referrer encoding victim identifiers (volume serial number + computer name), then pulls a per-victim tasking file from GitHub to retrieve and execute Downloader2 and accept simple command/tasking (e.g., change beacon interval, download DLL).
初期段階のダウンローダー。statcounter(正規サービス)へ定期ビーコンし、被害端末識別子(ボリュームシリアル+コンピュータ名)を用いてGitHub上の対応テキストを取得、そこに記載されたURLから次段(Downloader2等)を取得・実行する。COMハイジャッキングで永続化。取得データはXOR復号して実行。
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.