Threat Advisory

SpyGlace Campaign Uses Spear Phishing and Malicious Archives to Gain Access

Threat: Malware
Threat Actor Name: APT-C-60
Targeted Region: Japan
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The SpyGlace campaign uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools. The operation hides malicious activity behind online services many companies trust, including trusted developer services such as GitHub, GitLab, jsDelivr, and Codeberg. The attack starts when a recipient opens the a malicious shortcut file, which copies itself and launches a built-in system utility to run hidden JavaScript stored inside the file.

This script downloads a file named contributing1.txt, decodes it, and extracts its contents, then uses a legitimate copy of a malicious executable from the extracted files to run another script that rebuilds a downloader from several.db fragments and collects more downloaders and loaders before launching SpyGlace. The staged process gives operators several chances to change material without changing the original lure.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

The SpyGlace campaign uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools. The operation hides malicious activity behind online services many companies trust, including trusted developer services such as GitHub, GitLab, jsDelivr, and Codeberg. The attack starts when a recipient opens the a malicious shortcut file, which copies itself and launches a built-in system utility to run hidden JavaScript stored inside the file.

This script downloads a file named contributing1.txt, decodes it, and extracts its contents, then uses a legitimate copy of a malicious executable from the extracted files to run another script that rebuilds a downloader from several.db fragments and collects more downloaders and loaders before launching SpyGlace. The staged process gives operators several chances to change material without changing the original lure.[emaillocker id="1283"]

The campaign demonstrates why phishing defenses remain essential even when an organization tightly manages software, and organizations should review access to code-hosting and content-delivery services in the context of the device and process generating it, as well as keep a record of observed infrastructure and file hashes.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.001 Phishing Spearphishing Attachment
Initial access T1566.002 Phishing Spearphishing Link
Execution T1059.006 Command and Scripting Interpreter Python
Execution T1059.007 Command and Scripting Interpreter JavaScript
Persistence T1543.003 Create or Modify System Process Windows Service
Defence Evasion T1036.005 Masquerading Match Legitimate Resource Name or Location
Command and control T1071.001 Application Layer Protocol Web Protocols

MBC MAPPING:

Objective Behavior ID Behavior
Execution E1204 User Execution
Command & Control E1105 Ingress Tool Transfer
Execution B0023 Install Additional Program
Command & Control B0030 C2 Communication
Discovery E1082 System Information Discovery
Anti-Static Analysis B0032 Executable Code Obfuscation

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu