APT-C-60 has conducted a targeted espionage campaign against organizations in Japan, utilizing spear-phishing emails that impersonate job seekers to deliver malicious payloads. The attackers attach a VHDX file containing an LNK shortcut, which, when executed, leverages legitimate tools such as Git to run malicious scripts. These scripts deploy the SpyGlace malware, which establishes persistence through COM hijacking and communicates with external services for device identification and command-and-control. The campaign demonstrates a shift from using cloud storage links to directly attaching malicious files, and incorporates updates to the downloader and SpyGlace components, including new encoding and communication methods.
Analysis by JPCERT/CC and other sources highlights the use of GitHub for tasking, the evolution of the malware's infection flow, and the use of decoy documents to mask malicious activity. The attackers have refined their techniques to evade detection and maintain long-term access, with the malware periodically contacting legitimate statistics services as part of its operation. The campaign underscores the persistent threat posed by APT-C-60 and the sophistication of their tooling and delivery methods targeting Japanese entities.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On November 5, 2025, JPCERT/CC published an updated report on APT-C-60 attacks in Japan, detailing the VHDX/LNK infection chain, Downloader1 and Downloader2 behavior, COM hijacking persistence, GitHub-based tasking, and extensive file and network indicators. The report also analyzed attacker GitHub repositories and highlighted consistent use of the 'GOLDBAR' userid marker in communications.
JPCERT/CC documented SpyGlace versions 3.1.12, 3.1.13, and 3.1.14 during the June-August 2025 activity. The updates included command changes such as no-op behavior for prockill/proclist, a new uld command, and changes to mutexes and auto-execution paths in version 3.1.14.
During the 2025 campaign, JPCERT/CC found the attackers had moved their tasking and staging workflow from Bitbucket to GitHub while keeping broadly consistent tradecraft. Downloader components derived victim-specific filenames from the volume serial number and computer name, then retrieved tasking from attacker-controlled GitHub repositories.
JPCERT/CC observed continued APT-C-60 activity in Japan from June through August 2025 targeting recruitment staff with spear-phishing emails impersonating job seekers. The campaign delivered VHDX attachments containing an LNK that launched a legitimate Git binary to run embedded scripts and begin a multi-stage infection chain.
Public reporting cited in the references describes an APT-C-60 espionage incident in Japan around August 2024 using a job-application lure. The attack delivered a cloud-hosted VHDX with a decoy and malicious LNK, abused services including Google Drive, StatCounter, and Bitbucket, and established persistence via COM hijacking before deploying SpyGlace.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourceforesiet.com
Open sourceblogs.jpcert.or.jp
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.