The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a report on an ongoing cyber-espionage campaign by the threat group APT-C-60. The campaign targets unspecified organizations in Japan with the SpyGlace malware. A key feature of the group's updated tactics is the extensive abuse of legitimate, trusted online services for command and control (C2) and payload delivery. The attackers leverage Proton Drive, jsDelivr, GitHub, GitLab, and Codeberg to host malicious files and blend their C2 traffic, making detection significantly more challenging for network defenders.
APT-C-60 is a persistent threat actor focused on espionage against Japanese entities. This campaign demonstrates the group's evolution, adopting techniques to bypass network security controls by 'living off the trusted service.'
The attack follows a multi-stage infection chain designed for stealth:
.LNK shortcut file. When the user clicks the LNK file, it executes mshta.exe to run embedded JavaScript code.mshta.exe script fetches the next stage from jsDelivr, a popular content delivery network for open-source projects. This makes the download appear as legitimate web traffic.git.exe binary, likely bundled with the malware, to connect to repositories on GitHub, GitLab, or Codeberg. It pulls down various components and assembles the final downloader and payload on the victim's machine.This chain of using trusted services (Proton Drive -> jsDelivr -> GitHub) makes each step of the infection process difficult to block without impacting legitimate business operations.
T1566.002 - Phishing: Spearphishing Link: Using links to malicious files on Proton Drive.T1204.002 - User Execution: Malicious File: Relies on the user clicking the malicious LNK file.T1218.005 - Signed Binary Proxy Execution: Mshta: Abusing mshta.exe to run malicious scripts.T1105 - Ingress Tool Transfer: Downloading payloads from Proton Drive, jsDelivr, and GitHub.T1071.001 - Application Layer Protocol: Web Protocols: Using standard HTTPS traffic to trusted domains to mask C2 and payload delivery.A successful compromise with SpyGlace malware can lead to long-term espionage. The attackers can gain persistent access to the victim's network, allowing them to:
The abuse of trusted services makes attribution and remediation more complex, as blocking the domains involved (e.g., github.com) is often not feasible for organizations that rely on them for development.
JPCERT/CC has published IOCs, but they were not detailed in the source articles. These would include C2 domains, file hashes, and attacker-controlled repository URLs.
Detecting this activity requires looking for unusual uses of legitimate tools and services:
mshta.exemshta.exe making network connections, especially when launched by an Office application or from an LNK file.git.exegit.exe running outside of expected developer directories or being executed by non-developer user accounts.jsdelivr.net, proton.me, codeberg.orggit clonegit clone commands that point to suspicious or newly created repositories.mshta.exe -> git.exe) and alert on the abuse of legitimate binaries.proton.me followed by jsdelivr.net and then github.com, when initiated by mshta.exe, is a high-confidence indicator of this campaign..LNK files within archives, as they are a common vector for malware delivery.mshta.exe from executing untrusted code and to prevent Office applications from creating child processes.git.exe Execution: Use application control policies (like AppLocker) to restrict where git.exe can be executed from and by which users. It should generally not be run from a user's Downloads folder.Implement TLS/SSL inspection to allow for analysis of traffic to trusted services like GitHub and jsDelivr.
Use application control policies to block or restrict the execution of mshta.exe and git.exe outside of approved contexts.
Train users to be wary of links in emails, even if they point to legitimate-looking cloud services.
Configure email gateways to block or sandbox malicious file types like LNK files, even when they are inside archives.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.