SpyGlace, associated with the APT-C-60 group, has resurfaced in a campaign that cleverly conceals malicious activities within trusted online services. This operation employs spear-phishing emails to deliver compromised archives, initiating a multi-stage infection process that leverages legitimate tools and platforms to evade detection.
The attack begins when a target receives an email containing a link to a Proton Drive-hosted RAR archive or a direct malicious attachment. Within this archive lies a Windows shortcut (LNK) file. When executed, this shortcut initiates a sequence of actions: it copies itself and uses mshta.exe, a legitimate Windows utility, to run embedded JavaScript code. This script downloads and decodes a file named contributing1.txt, extracting its contents to further the infection process.
Subsequently, the script utilizes a legitimate instance of git.exe to execute another script. This script reconstructs a downloader from several .db fragments, which then retrieves additional downloaders and loaders, ultimately deploying the SpyGlace malware. This staged approach allows attackers to modify components without altering the initial lure, complicating detection efforts.
APT-C-60 strategically routes these downloads through reputable developer platforms such as GitHub, GitLab, jsDelivr, and Codeberg. By exploiting these trusted services, the malicious traffic blends seamlessly into normal network activity, making it challenging for security systems to identify the threat. This tactic represents an evolution from the group’s previous use of platforms like GitHub and Bitbucket, expanding the range of services that defenders must monitor.
Security analysts at JPCERT/CC have observed versions 3.1.15, 3.1.17, and 3.1.18 of SpyGlace in this campaign, noting no significant functional differences from earlier iterations. The primary concern lies in the delivery mechanism, which employs standard Windows programs and familiar development platforms, rendering basic blocking rules less effective. Organizations are thus compelled to focus on detecting suspicious behaviors rather than solely relying on identifying malicious destinations.
This campaign underscores the critical importance of robust phishing defenses, even within organizations that tightly control software usage. The initial email serves as the entry point for the entire attack chain, transforming a routine cloud-storage link into a potential compromise vector. Users should exercise caution when encountering unexpected archives or links, especially those hosted on trusted platforms, and organizations must enhance their monitoring capabilities to detect anomalous activities associated with such multi-stage attacks.
In light of this development, it’s evident that threat actors are continually refining their methods to exploit trusted services, thereby complicating detection and mitigation efforts. Organizations must adopt a multi-layered security approach, combining user education, behavioral analysis, and advanced threat detection technologies to effectively counter these sophisticated attacks.