216.73.216.197

Update on Attacks by Threat Group APT-C-60 in 2026

· Published 13/07/2026 14:54

Export JSON

Essential information

Published
13/07/2026 14:54
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
apt-c-60 japan legitimate services abuse living-off-the-land lnk files multi-stage infection spear-phishing spyglace
Related entities
102 indicators, 4 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware

Description

APT-C-60 continues targeting organizations in with evolved tactics observed throughout 2026. The threat group employs emails containing Proton Drive links or direct attachments with RAR archives. Victims extract that execute JavaScript via mshta.exe, leading to multi-stage payload delivery. The attackers abuse legitimate services including GitHub, GitLab, jsDelivr, and Codeberg as infrastructure for hosting malicious components. Git.exe is leveraged to execute scripts that deploy downloaders and loaders, ultimately delivering malware versions 3.1.15 through 3.1.18. The attack chain involves multiple obfuscated JavaScript files and persistence mechanisms similar to previous campaigns. By utilizing developer-oriented services and CDNs commonly allowed in corporate environments, the threat actor attempts to evade detection and blend malicious traffic with legitimate communications.

External references