APT-C-60 Evolves Again: SpyGlace Malware Campaign Hides Behind Trusted Services to Outsmart Security Defenses + Video

Listen to this Post

Featured Image

Introduction – A New Generation of Cyberespionage

Cybercriminals are continuously refining their techniques, but advanced persistent threat (APT) groups have elevated cyberespionage to an entirely different level. Rather than relying on obviously malicious infrastructure, modern attackers increasingly disguise their operations by abusing trusted cloud platforms and legitimate software already present inside enterprise environments.

A newly documented campaign by the threat group APT-C-60 demonstrates this evolution. Security researchers observed the group deploying the SpyGlace malware through a sophisticated infection chain that combines Proton Drive, malicious Windows Shortcut (LNK) files, native Windows utilities, content delivery networks, and well-known developer platforms including GitHub, GitLab, Codeberg, and jsDelivr. The campaign primarily targets organizations in Japan, but its techniques can easily be adapted for victims worldwide, making it a significant concern for enterprises, government agencies, and cybersecurity professionals.

APT-C-60 Refreshes Its SpyGlace Delivery Chain

The latest investigation revealed that APT-C-60 has significantly upgraded its malware delivery process. Instead of distributing malware directly, the attackers now begin with carefully crafted spear-phishing emails that appear legitimate.

Victims receive emails containing a Proton Drive link directing them to download a compressed RAR archive. In some observed attacks, the archive was attached directly to the email itself. Once extracted, the archive contains a malicious Windows Shortcut (LNK) file designed to appear harmless.

Opening this shortcut silently launches the attack while presenting little or no indication that malware execution has begun.

Living-Off-the-Land: Turning Windows Into an Attack Platform

One of the

After execution, the malicious LNK file copies itself before launching mshta.exe, a legitimate Microsoft utility capable of executing HTML Applications and embedded JavaScript.

Instead of dropping obvious malware immediately, the attackers leverage trusted operating system tools to continue the infection process. This “Living-off-the-Land” technique allows malicious actions to blend into everyday Windows activity, making detection substantially more difficult.

Many traditional security products focus primarily on identifying unknown executables. Since mshta.exe is a trusted Windows component, its execution often appears perfectly normal unless behavioral monitoring is enabled.

Obfuscated JavaScript Continues the Infection

Once mshta.exe is launched, embedded obfuscated JavaScript takes control.

The script downloads a seemingly harmless text file named contributing[1].txt from the widely trusted jsDelivr Content Delivery Network.

Although the downloaded file appears innocent, it actually contains encoded payload data.

The script searches the file, decodes the hidden content, extracts additional components, and prepares the next stage of the infection without raising immediate suspicion.

Trusted Developer Platforms Become Malware Infrastructure

APT-C-60 expanded its infrastructure strategy throughout 2026 by abusing services that millions of developers use every day.

The attackers were observed leveraging:

GitHub

GitLab

Codeberg

jsDelivr

Proton Drive

These services are commonly allowed through enterprise firewalls because software developers depend on them daily.

This creates a difficult challenge for defenders.

Security products cannot simply block GitHub or public CDNs without disrupting normal business operations. Instead, defenders must distinguish between legitimate developer activity and malicious abuse occurring through the same trusted platforms.

Git.exe Plays an Unexpected Role

One particularly clever technique involves the use of a legitimate git.exe executable.

Rather than executing malware directly, the decoded payload launches an authentic Git binary extracted during the attack.

Git then executes the next-stage malicious script.

Because Git is a trusted development tool frequently installed across enterprise environments, its execution rarely triggers immediate security alerts.

This demonstrates how attackers increasingly exploit trusted software rather than creating entirely new malware loaders.

Why Proton Drive Helps Evade Email Security

Cloud storage services have become valuable delivery mechanisms for threat actors.

By placing the malicious archive on Proton Drive instead of attaching it directly to emails, attackers reduce the likelihood that email security gateways will scan the malicious content.

Employees often trust cloud-sharing links because they resemble legitimate collaboration workflows.

APT-C-60 takes advantage of that trust to bypass traditional email filtering technologies.

Security Teams Face a More Difficult Detection Problem

Blocking malicious domains alone is no longer sufficient.

Because GitHub, GitLab, jsDelivr, and Proton Drive are legitimate services, defenders must focus on behavioral analysis rather than domain reputation.

Security teams should investigate:

Unexpected mshta.exe execution

LNK files spawning scripting engines

Git.exe running from temporary directories

Downloads immediately followed by script execution

Unusual access to developer repositories

Suspicious PowerShell or JavaScript activity

Endpoint process chains involving trusted Windows binaries

These behavioral indicators often provide stronger evidence of compromise than network destinations alone.

Recommended Defensive Measures

Organizations should immediately strengthen monitoring around trusted administrative tools.

Recommended defensive actions include:

Monitor suspicious LNK file execution.

Alert on mshta.exe launched from shortcut files.

Track Git executions outside developer workflows.

Inspect downloads originating from public repositories.

Review JavaScript execution initiated by Windows utilities.

Deploy Endpoint Detection and Response (EDR) solutions with behavioral analytics.

Train employees to avoid unexpected cloud-storage links.

Treat password-protected archives as potentially malicious.

Block known SpyGlace command-and-control infrastructure.

Continuously update threat intelligence feeds.

Organizations should also monitor communications involving the following known SpyGlace infrastructure:

31.58.136[.]207

154.18.239[.]209

173.234.11[.]141

These indicators should be handled within controlled threat intelligence environments to prevent accidental communication with malicious infrastructure.

Deep Analysis

Command 1 — Abuse of Trust

APT-C-60 no longer relies on suspicious infrastructure. Instead, it weaponizes services organizations already trust, forcing defenders to inspect behavior instead of domains.

Command 2 — Native Windows Tools

The campaign demonstrates the continued success of Living-off-the-Land techniques, proving that legitimate Windows utilities remain powerful offensive tools.

Command 3 — Multi-Stage Execution

Every stage performs only a small task, reducing visibility and making detection significantly harder for endpoint security products.

Command 4 — Cloud Storage Evolution

Cloud services have become modern malware distribution channels because organizations rarely restrict employee access to them.

Command 5 — Developer Ecosystem Abuse

GitHub, GitLab, Codeberg, and jsDelivr provide attackers with resilient hosting infrastructure that blends naturally with enterprise traffic.

Command 6 — Defense Strategy

Behavior-based detection, process correlation, and endpoint telemetry are now more valuable than traditional blacklist-based protection.

Command 7 — Threat Hunting

SOC analysts should build hunting rules around suspicious execution chains involving LNK → mshta.exe → JavaScript → git.exe rather than searching only for malware hashes.

Command 8 — Enterprise Risk

Organizations with software development teams are particularly vulnerable because Git and public repositories are essential business tools that cannot simply be blocked.

What Undercode Say:

APT-C-60 is demonstrating what modern cyberespionage has become: a battle of deception rather than brute force.

Years ago, defenders focused heavily on identifying malicious executables. Today, attackers increasingly avoid dropping recognizable malware until the final stages of an attack.

Instead, they chain together trusted services that already exist inside corporate environments.

This campaign illustrates that almost every component is legitimate.

Proton Drive is legitimate.

GitHub is legitimate.

GitLab is legitimate.

Codeberg is legitimate.

jsDelivr is legitimate.

Git.exe is legitimate.

mshta.exe is legitimate.

Windows Shortcut files are legitimate.

Individually, none of these components appear suspicious.

Collectively, they create an advanced malware delivery pipeline.

This represents one of the biggest shifts in enterprise cybersecurity.

Organizations can no longer depend solely on blocking malicious domains because attackers increasingly borrow infrastructure maintained by reputable companies.

Behavior becomes the new indicator of compromise.

Endpoint Detection and Response platforms must correlate events rather than inspect isolated actions.

Threat hunting teams should focus on process ancestry, command-line arguments, script execution, and unusual application relationships.

Another concerning aspect is the abuse of developer ecosystems.

As software development becomes increasingly cloud-native, organizations are forced to allow access to platforms attackers now exploit.

This creates an unavoidable security dilemma.

Blocking GitHub or jsDelivr may break business operations.

Allowing unrestricted access increases attack surface.

The answer lies in visibility, behavioral analytics, and intelligent monitoring.

APT groups are clearly investing significant effort into stealth rather than destructive payloads.

That indicates cyberespionage remains their primary objective.

SpyGlace appears designed to remain hidden for as long as possible.

Its delivery chain minimizes obvious forensic artifacts while maximizing operational flexibility.

Future campaigns will likely expand toward additional trusted cloud providers and collaborative platforms.

Security teams should prepare now rather than waiting for detection signatures to catch up.

Organizations that continue relying primarily on signature-based antivirus protection will increasingly struggle against campaigns like this.

✅ Confirmed: The reported attack chain involving Proton Drive, malicious LNK files, mshta.exe, jsDelivr, and trusted developer platforms aligns with publicly documented technical analysis from security researchers.

✅ Confirmed: The abuse of legitimate Windows utilities and developer services reflects well-established Living-off-the-Land techniques that are widely observed in modern APT operations.

❌ Not Confirmed: While the campaign has been documented targeting organizations in Japan, there is currently no public evidence that every industry or region has been broadly affected. Global expansion remains a realistic possibility rather than a confirmed fact.

Prediction

(+1) Security vendors will continue improving behavioral detection engines capable of correlating complex process chains involving legitimate Windows tools, significantly increasing the detection rate of campaigns similar to SpyGlace.

(-1) Threat actors are likely to expand beyond GitHub and Proton Drive by abusing additional trusted cloud collaboration platforms, making phishing campaigns increasingly difficult to distinguish from legitimate business activity and forcing organizations to adopt more advanced threat hunting capabilities.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube