The SpyGlace campaign uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools. The operation hides malicious activity behind online services many companies trust, including trusted developer services such as GitHub, GitLab, jsDelivr, and Codeberg. The attack starts when a recipient opens the a malicious shortcut file, which copies itself and launches a built-in system utility to run hidden JavaScript stored inside the file.
This script downloads a file named contributing1.txt, decodes it, and extracts its contents, then uses a legitimate copy of a malicious executable from the extracted files to run another script that rebuilds a downloader from several.db fragments and collects more downloaders and loaders before launching SpyGlace. The staged process gives operators several chances to change material without changing the original lure.[/subscribe_to_unlock_form]
The SpyGlace campaign uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools. The operation hides malicious activity behind online services many companies trust, including trusted developer services such as GitHub, GitLab, jsDelivr, and Codeberg. The attack starts when a recipient opens the a malicious shortcut file, which copies itself and launches a built-in system utility to run hidden JavaScript stored inside the file.
This script downloads a file named contributing1.txt, decodes it, and extracts its contents, then uses a legitimate copy of a malicious executable from the extracted files to run another script that rebuilds a downloader from several.db fragments and collects more downloaders and loaders before launching SpyGlace. The staged process gives operators several chances to change material without changing the original lure.[emaillocker id="1283"]
The campaign demonstrates why phishing defenses remain essential even when an organization tightly manages software, and organizations should review access to code-hosting and content-delivery services in the context of the device and process generating it, as well as keep a record of observed infrastructure and file hashes.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Execution | E1204 | User Execution |
| Command & Control | E1105 | Ingress Tool Transfer |
| Execution | B0023 | Install Additional Program |
| Command & Control | B0030 | C2 Communication |
| Discovery | E1082 | System Information Discovery |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
The following reports contain further technical details:
[/emaillocker]