Update on Attacks by Threat Group APT-C-60 in 2026
Essential information
- Published
- 13/07/2026 14:54
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- apt-c-60 japan legitimate services abuse living-off-the-land lnk files multi-stage infection spear-phishing spyglace
- Related entities
- 102 indicators, 4 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware
Description
APT-C-60 continues targeting organizations in Japan with evolved tactics observed throughout 2026. The threat group employs spear-phishing emails containing Proton Drive links or direct attachments with RAR archives. Victims extract LNK files that execute JavaScript via mshta.exe, leading to multi-stage payload delivery. The attackers abuse legitimate services including GitHub, GitLab, jsDelivr, and Codeberg as infrastructure for hosting malicious components. Git.exe is leveraged to execute scripts that deploy downloaders and loaders, ultimately delivering SpyGlace malware versions 3.1.15 through 3.1.18. The attack chain involves multiple obfuscated JavaScript files and persistence mechanisms similar to previous campaigns. By utilizing developer-oriented services and CDNs commonly allowed in corporate environments, the threat actor attempts to evade detection and blend malicious traffic with legitimate communications.