APT-C-60’s Sophisticated Cyber Espionage Targets Job Seekers
A sophisticated cyber espionage campaign has been identified, targeting recruitment professionals through the use of weaponized VHDX files. The threat group, known as APT-C-60, impersonates job seekers in spear-phishing emails to infiltrate organizations and steal sensitive data.
Evolution of Attack Methods
Initially, APT-C-60 directed victims to download malicious VHDX files from Google Drive links embedded in emails. However, recent tactics have evolved to include the direct attachment of these weaponized VHDX files to emails, increasing the likelihood of successful infection.
Infection Chain and Payload Deployment
Upon opening the malicious VHDX file and executing the embedded LNK file, a multi-stage infection process is initiated:
1. Execution via Legitimate Applications: The LNK file triggers `gcmd.exe`, a legitimate Git component, to run a script named `glog.txt` stored within the VHDX file.
2. Decoy and Malware Deployment: The script displays a fabricated resume as a decoy while simultaneously creating `WebClassUser.dat` (Downloader1) and registering it in the system registry at `HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32`.
3. Establishing Persistence: Persistence is achieved through COM hijacking, ensuring the malware executes automatically during system operations.
4. Command-and-Control Communication: Downloader1 communicates with StatCounter using specially crafted referrer headers in the format `ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName]`.
5. Payload Retrieval: The threat actors monitor these referrer values and upload corresponding files to GitHub repositories. Downloader1 retrieves files from URLs like `https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber+ComputerName].txt`, which contain instructions for downloading Downloader2.
6. Deployment of SpyGlace Malware: Downloader2 downloads and deploys SpyGlace malware, utilizing dynamic API resolution with an encoding scheme combining ADD and XOR operations.
Technical Sophistication and Obfuscation Techniques
APT-C-60 demonstrates advanced operational security by leveraging legitimate services like GitHub and StatCounter to maintain command-and-control infrastructure. The attacks showcase technical sophistication through multi-layered obfuscation techniques, including XOR encoding with the key “sgznqhtgnghvmzxponum” for initial payloads and AES-128-CBC encryption for secondary stage downloads.
Targeted Regions and Operational Timeline
Analysts identified this campaign targeting East Asian regions, particularly Japan, between June and August 2025. The malware identifies compromised machines using volume serial numbers and computer names, enabling precise victim tracking.
Implications and Recommendations
The use of legitimate services and sophisticated obfuscation techniques by APT-C-60 underscores the evolving nature of cyber threats. Organizations, especially those in recruitment and human resources, should exercise heightened vigilance when handling unsolicited job applications or unexpected attachments. Implementing advanced threat detection mechanisms capable of identifying suspicious activities, even when they originate from legitimate services, is crucial.
