SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection
Key Takeaways The SpyGlace malware campaign, attributed to APT-C-60, is actively leveraging trusted developer services and legitimate Windows tools to bypass network detection. Initial access is...
Key Takeaways
- The SpyGlace malware campaign, attributed to APT-C-60, is actively leveraging trusted developer services and legitimate Windows tools to bypass network detection.
- Initial access is gained through spear-phishing emails containing malicious RAR archives with LNK shortcut files or direct malicious attachments.
- The attack chain utilizes common platforms like Proton Drive, GitHub, GitLab, jsDelivr, and Codeberg for delivering various stages of the malware, making traditional blocking methods less effective.
- JPCERT/CC has observed SpyGlace versions 3.1.15, 3.1.17, and 3.1.18, noting a refinement of existing techniques rather than new exploits.
- Organizations must implement robust behavioral monitoring across email, endpoint, and network layers to detect anomalous activity patterns.
SpyGlace Attacks Abuse Trusted Developer Services
A renewed SpyGlace campaign is actively exploiting commonplace online developer services to mask its malicious activities, presenting a significant challenge to conventional network security measures. This operation, linked to the advanced persistent threat group APT-C-60, initiates its attack through spear-phishing emails. These emails either direct victims to a booby-trapped RAR archive hosted on platforms like Proton Drive or deliver a malicious attachment directly. The subsequent infection chain leverages a series of standard, legitimate software tools, enabling the malware to blend in with normal business traffic.
Table Of Content
The latest intelligence highlights a sophisticated approach where attackers transform everyday network flows into covert channels for compromise. Upon opening the deceptive archive or attachment, a Windows shortcut (LNK file) triggers the infection process.
Researchers at JPCERT/CC uncovered this campaign while monitoring ongoing APT-C-60 operations targeting organizations in Japan. Their analysis revealed that the group has refined its initial access vectors and online infrastructure. Despite these changes, the fundamental techniques observed in their 2024 and 2025 campaigns remain consistent. A primary concern for security professionals is not just the SpyGlace payload itself, but the stealthy nature of its delivery, which is designed to evade detection by mimicking legitimate activity.
The attack methodology hinges on the abuse of standard Windows applications and widely-used development platforms. This reliance makes basic network blocking rules considerably less effective. Consequently, organizations are compelled to shift their focus from merely identifying suspicious destinations to meticulously scrutinizing suspicious behavioral patterns within their networks.
Infection Chain Details
The infection sequence begins once a user activates the embedded LNK file. This shortcut initiates a self-copying process before launching mshta.exe, a legitimate Windows component, to execute concealed JavaScript code contained within the LNK file. This JavaScript then proceeds to download and decode a file named contributing1.txt, extracting its malicious contents.
Following this, the script employs a legitimate copy of git.exe, extracted from the initial payload, to execute another script. This secondary script reconstructs a downloader from multiple .db fragments. This reconstructed downloader then fetches additional downloaders and loaders, culminating in the deployment of the SpyGlace malware.
This multi-stage infection process offers the attackers considerable flexibility. It allows them to modify subsequent components of the malware without altering the initial lure, making it harder for defenders to track and block the entire chain based on static indicators.
APT-C-60 has broadened its command-and-control (C2) infrastructure, routing later-stage downloads through popular developer platforms such as GitHub, GitLab, jsDelivr, and Codeberg. These services are routinely accessed by developers and deliver vast amounts of legitimate content daily, making their traffic inherently difficult to flag as malicious within enterprise networks. While the group previously utilized GitHub and Bitbucket, the expanded array of services in their 2026 operations significantly increases the investigative burden on security teams.
The use of trusted services does not legitimize the malicious activity; rather, it renders security decisions based solely on website domain names largely ineffective. Security teams must correlate user actions, such as the opening of an unexpected archive, with subsequent events like the execution of mshta.exe, unusual git.exe activity, script creation, and downloads originating from developer platforms.
What You Should Do
- Strengthen Email Security: Implement advanced email filtering to detect and quarantine spear-phishing attempts. Configure mail controls to flag emails containing unexpected RAR archives or LNK files, especially those prompting users to download content from cloud drives.
- Enhance Endpoint Detection and Response (EDR): Configure EDR solutions to alert on anomalous process execution, such as
mshta.exebeing launched by a shortcut, orgit.exeinitiating from unusual temporary directories or extracted locations. - Implement Network Traffic Analysis: Employ network monitoring tools to scrutinize traffic to and from code-hosting and content-delivery services (GitHub, GitLab, jsDelivr, Codeberg). Differentiate between legitimate developer activity and suspicious automated downloads or script execution. Focus on behavioral anomalies rather than solely on destination whitelisting.
- Educate Users: Conduct regular security awareness training emphasizing the dangers of opening suspicious attachments or links, particularly those in unsolicited emails, even if they appear to originate from trusted services. Advise caution regarding LNK files within archives.
- Maintain Up-to-Date Threat Intelligence: Continuously update threat intelligence platforms with observed Indicators of Compromise (IoCs) including C2 server IPs, phishing sender emails, and repository URLs. While dynamic, these indicators can aid in initial detection.
- Review and Audit Logs: Regularly review logs from email gateways, endpoints, and network devices for patterns indicative of the SpyGlace infection chain.
- Isolate and Investigate: Any detected activity matching the SpyGlace attack chain should trigger immediate isolation of affected systems and a thorough forensic investigation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.