JPCERT/CC reported that APT-C-60 continued targeting organizations in Japan with spear-phishing campaigns that shifted initial access tactics while retaining heavy abuse of legitimate online services. In observed intrusions, phishing emails either linked victims to Proton Drive or carried malicious archive attachments, including RAR files containing .lnk shortcuts. When opened, the LNK files launched mshta.exe to execute embedded JavaScript, beginning a multi-stage infection chain designed to blend into normal enterprise traffic.
The JavaScript retrieved and decoded additional components from services including jsDelivr, then used a legitimate git.exe binary to run scripts and assemble downloaders from .db files before fetching more payloads from GitHub, GitLab, Codeberg, and other trusted platforms. JPCERT/CC said the final malware delivered was SpyGlace, with versions v3.1.15, v3.1.17, and v3.1.18 observed, and published related indicators including C2 infrastructure, malicious file hashes, phishing sender addresses, and attacker repository details. The agency noted that combining standard Windows tools with trusted cloud, developer, and CDN services makes the activity harder to detect.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
In the July 13, 2026 update, JPCERT/CC disclosed technical details from the 2026 campaign, including observed SpyGlace versions v3.1.15, v3.1.17, and v3.1.18, along with C2 infrastructure, malicious file hashes, phishing sender addresses, and attacker repository indicators.
On July 13, 2026, JPCERT/CC reported ongoing APT-C-60 attacks against organizations in Japan during 2026. The update described changes in initial access and infrastructure, including spear-phishing via Proton Drive links or malicious archives with LNK files that ultimately deployed SpyGlace.
On December 11, 2024, JPCERT/CC published a report on attacks by APT-C-60 that exploited legitimate services, establishing the earlier campaign later used as a comparison point for 2026 activity.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcemalware.news
Open sourceblogs.jpcert.or.jp
Open sourceblogs.jpcert.or.jp
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.