APT-C-60 Abuses GitHub, Proton Drive to Deliver SpyGlace

APT-C-60 Targets Japan with 'SpyGlace' Malware, Abusing Trusted Cloud Services

HIGH
July 13, 2026
5m read
Threat ActorMalwareCyberattack

Related Entities

Threat Actors

APT-C-60

Organizations

Products & Tech

Proton DrivejsDelivrCodebergmshta.exe

Other

SpyGlace

Full Report

Executive Summary

The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a report on an ongoing cyber-espionage campaign by the threat group APT-C-60. The campaign targets unspecified organizations in Japan with the SpyGlace malware. A key feature of the group's updated tactics is the extensive abuse of legitimate, trusted online services for command and control (C2) and payload delivery. The attackers leverage Proton Drive, jsDelivr, GitHub, GitLab, and Codeberg to host malicious files and blend their C2 traffic, making detection significantly more challenging for network defenders.


Threat Overview

APT-C-60 is a persistent threat actor focused on espionage against Japanese entities. This campaign demonstrates the group's evolution, adopting techniques to bypass network security controls by 'living off the trusted service.'

  • Threat Actor: APT-C-60.
  • Target: Organizations in Japan.
  • Malware: SpyGlace (versions v3.1.15, v3.1.17, v3.1.18 identified).
  • Primary Tactic: Abusing legitimate cloud and developer platforms for payload staging and C2, a technique often called Domain Fronting or using legitimate services as a content delivery network.

Technical Analysis

The attack follows a multi-stage infection chain designed for stealth:

  1. Initial Access: The campaign begins with a spear-phishing email. The email either contains a link to a malicious file hosted on Proton Drive or has a malicious RAR archive attached.
  2. Execution: Inside the archive is a .LNK shortcut file. When the user clicks the LNK file, it executes mshta.exe to run embedded JavaScript code.
  3. Staging: The mshta.exe script fetches the next stage from jsDelivr, a popular content delivery network for open-source projects. This makes the download appear as legitimate web traffic.
  4. Payload Assembly: The malware then uses a legitimate git.exe binary, likely bundled with the malware, to connect to repositories on GitHub, GitLab, or Codeberg. It pulls down various components and assembles the final downloader and payload on the victim's machine.
  5. Final Payload: The ultimate goal is to execute the SpyGlace malware, a backdoor used for espionage and data theft.

This chain of using trusted services (Proton Drive -> jsDelivr -> GitHub) makes each step of the infection process difficult to block without impacting legitimate business operations.

MITRE ATT&CK Mapping

Impact Assessment

A successful compromise with SpyGlace malware can lead to long-term espionage. The attackers can gain persistent access to the victim's network, allowing them to:

  • Exfiltrate sensitive corporate data, intellectual property, and government documents.
  • Monitor internal communications.
  • Pivot to other systems within the network.
  • Deploy additional malicious tools.

The abuse of trusted services makes attribution and remediation more complex, as blocking the domains involved (e.g., github.com) is often not feasible for organizations that rely on them for development.

IOCs — Directly from Articles

JPCERT/CC has published IOCs, but they were not detailed in the source articles. These would include C2 domains, file hashes, and attacker-controlled repository URLs.

Cyber Observables — Hunting Hints

Detecting this activity requires looking for unusual uses of legitimate tools and services:

Type
process_name
Value
mshta.exe
Description
Monitor for mshta.exe making network connections, especially when launched by an Office application or from an LNK file.
Context
EDR, Process creation logs
Type
process_name
Value
git.exe
Description
Look for git.exe running outside of expected developer directories or being executed by non-developer user accounts.
Context
EDR, Process creation logs
Type
network_traffic_pattern
Value
jsdelivr.net, proton.me, codeberg.org
Description
While these are legitimate domains, traffic to them from unexpected processes or user accounts should be investigated.
Context
Proxy logs, DNS logs, SIEM
Type
command_line_pattern
Value
git clone
Description
Monitor for git clone commands that point to suspicious or newly created repositories.
Context
EDR, Command-line logging

Detection & Response

  • Endpoint Detection and Response (EDR): EDR is critical for detecting this attack chain. It can identify the suspicious process execution flow (e.g., LNK -> mshta.exe -> git.exe) and alert on the abuse of legitimate binaries.
  • TLS/SSL Inspection: To detect malicious payloads being downloaded from trusted services, organizations need the ability to inspect encrypted traffic. This allows security tools to see the actual files being transferred from sites like GitHub and Proton Drive.
  • DNS and Proxy Log Analysis: Correlate DNS queries and web proxy logs. A user's machine making a request to proton.me followed by jsdelivr.net and then github.com, when initiated by mshta.exe, is a high-confidence indicator of this campaign.

Mitigation

  • Block LNK Attachments: Configure email gateways to block or quarantine .LNK files within archives, as they are a common vector for malware delivery.
  • Attack Surface Reduction (ASR): Use ASR rules to block mshta.exe from executing untrusted code and to prevent Office applications from creating child processes.
  • Restrict git.exe Execution: Use application control policies (like AppLocker) to restrict where git.exe can be executed from and by which users. It should generally not be run from a user's Downloads folder.
  • Educate Users: Train users to be suspicious of emails prompting them to download files from cloud storage services, even if the service itself is legitimate.

Timeline of Events

1
July 13, 2026
This article was published

MITRE ATT&CK Mitigations

Implement TLS/SSL inspection to allow for analysis of traffic to trusted services like GitHub and jsDelivr.

Use application control policies to block or restrict the execution of mshta.exe and git.exe outside of approved contexts.

Train users to be wary of links in emails, even if they point to legitimate-looking cloud services.

Configure email gateways to block or sandbox malicious file types like LNK files, even when they are inside archives.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

APTAPT-C-60SpyGlaceJapanJPCERT/CCEspionageGitHub

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.