SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection

SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection










SpyGlace has returned in a campaign that hides malicious activity behind online services many companies trust.

The operation, linked to APT-C-60, uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools.

The latest activity shows how attackers can turn normal business traffic into cover. A victim may receive a Proton Drive link leading to a RAR archive, or a malicious attachment directly in the email.

Inside the archive is a Windows shortcut, or LNK file, whose opening begins the infection.

Analysts at JPCERT/CC identified the campaign while tracking continued APT-C-60 activity against organizations in Japan.

They found that the group had changed parts of its entry method and online infrastructure while retaining techniques seen in its 2024 and 2025 operations. The concern is not only the SpyGlace payload, but the way the delivery chain blends in.

Initial access flow (Source - JPCert)
Initial access flow (Source – JPCert)

It relies on standard Windows programs and familiar development platforms, making basic blocking rules less reliable and leaving organizations to spot suspicious behavior rather than simply suspicious destinations.

JPCERT/CC said in a report shared with Cyber Security News (CSN) that it observed SpyGlace versions 3.1.15, 3.1.17, and 3.1.18, with no major functional differences from earlier samples.

SpyGlace Attacks Abuse Trusted Developer Services

The attack starts when a recipient opens the LNK file. The shortcut copies itself and launches mshta.exe, a legitimate Windows component, to run hidden JavaScript stored inside the file.

That code downloads a file named contributing1.txt, decodes it, and extracts its contents.

Next, the script uses a legitimate copy of git.exe from the extracted files to run another script. The script rebuilds a downloader from several .db fragments, then uses it to collect more downloaders and loaders before launching SpyGlace.

Infection flow after execution of the LNK file (Source - JPCert)
Infection flow after execution of the LNK file (Source – JPCert)

This staged process gives the operators several chances to change material without changing the original lure.

APT-C-60 routed those later downloads through GitHub, GitLab, jsDelivr, and Codeberg. These sites serve developers and content every day, so their traffic can appear harmless in corporate networks.

The group had previously used GitHub and Bitbucket, but the broader 2026 mix expands the number of places defenders must investigate.

Using trusted services does not make the activity legitimate. It makes decisions based only on a website name far less useful.

Security teams need to connect a user action, such as opening an unexpected archive, with follow-on events including mshta.exe execution, unusual git.exe activity, script creation, and downloads from developer platforms.

Phishing Chain Raises Detection Pressure

The campaign demonstrates why phishing defenses remain essential even when an organization tightly manages software.

The initial email is the point where a routine cloud-storage link becomes a compromise path. Users should avoid opening cloud-storage links in suspicious emails and should treat LNK files inside RAR archives as a serious warning sign.

Mail controls should flag unexpected archives and shortcut files, especially when the message asks a recipient to retrieve content from a cloud drive.

Endpoint monitoring should also alert on a shortcut that starts mshta.exe or on git.exe being launched from an unusual temporary or extracted location.

Network teams should review access to code-hosting and content-delivery services in the context of the device and process generating it. An employee browsing a project page is different from an LNK-launched script pulling encoded files.

This behavior-focused approach can preserve normal work while exposing the sequence used to deliver SpyGlace.

The findings also underline the value of keeping a record of observed infrastructure and file hashes.

Blocking or hunting for the indicators below can help identify related activity, but defenders should not rely on them alone because the operators can create new accounts, repositories, files, and delivery links quickly.

JPCERT/CC’s account of the 2026 activity shows an attacker refining familiar methods rather than needing a new exploit.

For organizations, the practical response is to pair user caution with email, endpoint, and network monitoring that can recognize a malicious chain even when each individual service looks trustworthy.

Indicators of compromise (IoCs):-

Type Indicator Description
C2 server 31.58.136.207 SpyGlace command-and-control infrastructure
C2 server 154.18.239.209 SpyGlace command-and-control infrastructure
C2 server 173.234.11.141 SpyGlace command-and-control infrastructure
C2 server 185.18.222.241 SpyGlace command-and-control infrastructure
C2 server 213.111.158.200 SpyGlace command-and-control infrastructure
C2 server 213.111.158.201 SpyGlace command-and-control infrastructure
C2 server 213.111.158.216 SpyGlace command-and-control infrastructure
URL https://c.statcounter.com/1317800507/f3c27351 Legitimate service URL abused by the attacker
URL https://cdn.jsdelivr.net/gh/mei1990789/class125 Legitimate service URL abused by the attacker
Phishing sender [email protected] Observed spear-phishing sender
Phishing sender [email protected] Observed spear-phishing sender
Repository https://github.com/mei1990789/class125 Attacker management repository
Repository https://github.com/sapphire679/tblsesarol Attacker management repository
Repository https://github.com/sapphire689/dnaluakxith Attacker management repository
Repository https://github.com/wanib11399/zjeqopmfith Attacker management repository
Repository https://github.com/cafes39636/ngwtaepesf Attacker management repository
Repository https://github.com/rapefo2905/rncprjmauw Attacker management repository
Repository https://github.com/hexif45133/yedkatinrch Attacker management repository
Repository https://github.com/jewexo9791/archibkyof Attacker management repository
Repository https://github.com/lowege1212/izrtysherg Attacker management repository
Repository https://github.com/gixop88415/glfhvhtzih Attacker management repository
Repository https://github.com/kapap40675/fpqtzyofdl Attacker management repository
Repository https://github.com/cefobe3574/kojyyvtkqo Attacker management repository
Repository https://github.com/vogenoc114/qlofnsayvl Attacker management repository
Repository https://github.com/bohihef411/tuikfwoveb Attacker management repository
Repository https://github.com/waxiyes819/dymcdbqqen Attacker management repository
Repository https://github.com/fehijow850/uywcrcvlnb Attacker management repository
Repository https://github.com/yefixi3890/krbgqbmlho Attacker management repository
Repository https://github.com/williams250666/bluenote554 Attacker management repository
Repository https://gitlab.com/sapphire689/dnaluakxith Attacker management repository
Repository https://gitlab.com/cafes39636/ngwtaepesf Attacker management repository
Repository https://gitlab.com/rapefo2905/yedkatinrch Attacker management repository
Repository https://gitlab.com/lowege1212/eboralfotj Attacker management repository
Repository https://gitlab.com/kapap40675/fpqtzyofdl Attacker management repository
Repository https://gitlab.com/vogenoc114/qlofnsayvl Attacker management repository
Repository https://gitlab.com/waxiyes819/dymcdbqqen Attacker management repository
Repository https://gitlab.com/yefixi3890/krbgqbmlho Attacker management repository
Repository https://codeberg.org/ochima9923/tv9239irfn83 Attacker management repository
Repository https://codeberg.org/meca922199/ertlokefgpokjper2359 Attacker management repository
Repository https://codeberg.org/Hamilton385673/eff88e889w33456 Attacker management repository
Commit email [email protected] Email address used for commits
Commit email [email protected] Email address used for commits
Commit email [email protected] Email address used for commits
Commit email [email protected] Email address used for commits
Commit email [email protected] Email address used for commits
Commit email [email protected] Email address used for commits
File hash iconcache.dat: 48bb091e0cab562fe094e0ef6a77b434dba97380c09a707220cbd9ca Downloader 1
File hash iconcache.dat: 5e97848bebf521766910d9c8378e98bf7aa1ce4b06aeb6c3f86c31ab Downloader 1
File hash iconcache.dat: 60972abf5425c191c81bae117f1dedaea13d39bc52f367d5dff9ad1aa Downloader 1
File hash iconcache.dat: 71819a1b856b49e7f194ce60468ed8e5ea925c75d01484f4d28ffcf69 Downloader 1
File hash iconcache.dat: 83a22d4f61b054bda53a2ea4f506e97d818c7c961d8cd3975c1f2a51 Downloader 1
File hash iconcache.dat: 866564bb455bb3c9f3e15cbbc1dcaf75c533a224eb96c4b6d6739e11 Downloader 1
File hash iconcache.dat: cc2a6a3b4b771aba341293d2321e5f7b70cf517403fe44a58635b043 Downloader 1
File hash iconcache.dat: fa53663bfb80e197483e1a1bf123b94fa869e2d7f42b5fdfbff2869589b Downloader 1
File hash Cached2014.tmp: 6b84eab2aac7754b99d04365a83ec374e3cea99cc3223118a5f8fd541 Downloader 2
File hash EncodedFile.tmp: 0bda4beded9c2923fe16f20b7cbd7baf1a5b7078be5cde715592529a Downloader 2
File hash EncodedFile.tmp, inst.tmp: a7981dfccd8e4bdc00133dc15b22472c1677d6270826863caa36e7d5 Downloader 2
File hash a101.dat: 1b25c3d56fdb195b427a9c3bfc1f0e98e77a15322e8d3fc53a18edcc4 Downloader 2
File hash iconcache.dat: 119ad3dce05b5ef3db5a76655ac050eac51e318f1f31351ac103693a0 Downloader 2
File hash item.tmp: 0420fd9e5f9961458604909391fb0f1a353c17c986b55fc5722c1b68e Downloader 2
File hash item.tmp: 2952d72ad1d44f3d424600b8fa4076794e2e072ab46936012a5fb872 Downloader 2
File hash job.tmp, akdjfiwnkd.tmp: 3f2f69a8403e6b4e02ebe65448caf6abb8e2fbd1f7636ec71599f2d2d5 Downloader 2
File hash newjob.tmp: a9fd615fce38756ba6de8994f200e4b846397648138a9a0e6ef3b5952 Downloader 2
File hash reaconinst.tmp: a4c8a56070fe6f613e79a14554d0a1dba2f70ce2b93319e72972943c Downloader 2
File hash wincfg.db, Cached.tmp: c4768d99445128c670a6f848bc69371872e4d6a2160dbe0073e62ffd Downloader 2
File hash msdic.log: 7aa76237a7686583cc526b9d1a8486a52bd44a448d75ced51e1df4b Install script
File hash msdic.log: d567af55c97b7a595fcde5082e37a752718044230c16704e24efb430 Install script
File hash basecode.dat: 14d799f7897d25f7cfb4d1c86f43c791b6d778d2efd92b5fac4f65fc472 JavaScript file
File hash basecode.dat: 16bdde15cbf9190883c146bab495c8be73daff4fff5ffbf86b4ee468471 JavaScript file
File hash call1.js: 8114e3f213713dbbbacafcd0f62884a7826139b434bb3c77eae8dce65 JavaScript file
File hash call2.js: ab5aba292c983db324987e9fde2e01fe24a979d1587888fcc7460c94 JavaScript file
File hash call3.js: b5458541732f91793ef89cc58ec5e46d04bf43985ab4e6dc5ad10b6d JavaScript file
File hash call4.js: e6a414a53206e25d061a11e63c7d381ab0eb80cd3d174bd13551e2c JavaScript file
File hash call41.js: 1ae423e91f6cd679f9ea5be879b07379633b05cd850c37a8a65cdeaf JavaScript file
File hash close.js: 7900c2772680523cadc9fe4e07300d45500191ba64ff5b91573531b1 JavaScript file
File hash close.js: 94072d60170fc72a528f68b2b3826638dbb7283c8906e8051f53fe16e JavaScript file
File hash close.js: ad1c890f458b94683464c4d6d6d41fe63551c2c06ba2a1b8f71d8acb JavaScript file
File hash close.js: ffe5853d19be1acfe12bd681c7390d8fa88534a471020e6866a9e7c371 JavaScript file
File hash help.dat: 62a879b0d1c1649cc72b2b6f61a8f6bd888625ce6e8a7aefe0a0461e JavaScript file
File hash help.js: 0bf85d9065feb20ee946acf77c985cc7ec78de048ee41d8c5931e0e88 JavaScript file
File hash help.js: 21ddfbf726caa6d0f32a6bbce8e619f75c81f884bca48564c7a0e5a84 JavaScript file
File hash help.js: 2c98781e39a091b370ebd748b495c45752b2c54cdf2c36814358c8c6 JavaScript file
File hash help.js: 5272917261d7091a59e00f9d09cd7eb1d3e111115a5b367f79a66d0d JavaScript file
File hash help.js: 78c108be692f1c45ed1da1988e3c5ac792c832a78d0b6e8e6550763 JavaScript file
File hash help.js: 9706ee93f9b4b8214293e2ca4a68525eccaacfea58b135dcb2ea661a JavaScript file
File hash help.js: a1f0e6a30dc9753c5cbc80fd9df50eb44aee5a2349223b915b758af74 JavaScript file
File hash helpv3.js: 3b7a80fc62eb8b248fd0be0d94c78f1efe2f510499c68865a6d0c4ead JavaScript file
File hash helpv4.js: a9287e3452ab09144120ecdd20ed7365de589d5dcad28dcd8e19174 JavaScript file
File hash helpv5.js: 5ab41cf20315d2ea1385967d588159873a65ef5581a0b78de06c0d86 JavaScript file
File hash index.js: 131d8f72fde45c5ca1f662c510c3da16fbcd8ff6ef9b9fd893c25a9c8e8 JavaScript file
File hash test.dat: 7d09891e26d56a8bec44c3fe9a5791f3a93e8fa31539951ae6e2c40a JavaScript file
File hash desk.lnk: 2d8def39b76ca17b419e5084832105c0167a171fdcc14eebd0c872cc LNK file
File hash desk.lnk: fd0c7713520bd19c3e2566e93696532aa7da39a0c5ce1a797b67ce77 LNK file
File hash idx2.lnk: 899ce01e7313f4c1cfcf07cb2456282ded1d6b6c57286762f2914a9d6 LNK file
File hash information.lnk: fa98deb16bd72f2f77349c8c24de674a007a3d1ec8e88dd590791a57 LNK file
File hash ipo6.lnk: 44a4ac119349f525d877728b53fe38453a516881d577679caf08ab69 LNK file
File hash .lnk: 5c3d820e032592f47ffb4850ae0183749199b3e0dca3413cd0c3cb63 LNK file
File hash ndsdll.dat: 5115277eabf2d22d49dcef1e155874387d8e783853bd86debf7ff5858 Loader
File hash EncodedFile.tmp: 2b650e2e2c46a52378aee70fbaff1ce5e832c759c5f937532047f5250 Loader
File hash EncodedFile.tmp: 8a8cabe5f94e7f4c0ccca97f0c361618ec944df03d8b3bfcfdd76a25dd Loader
File hash EncodedFile.tmp, sta.tmp: f0af281623b422c1d45e7006d78678762341288c05abcb62648ce55c Loader
File hash EncodedFile2.tmp: 8ba3997afa07ac60312edf5f2d16357d1532a140081d638a9e465376 Loader
File hash jj.dll: 86ab5161f761822d16637d4d34b84ca6e1f66cea905aa27510620c9c Loader DLL
File hash dll.tmp: 843c4dc402e96ed72d7716d980c99e5dfa222a2a322250b7c3755a0 Loader
File hash dll.tmp: 9a19598ea286d5f6fa0b7ff981ba21aff503fb217757f4dfbd496ead018 Loader
File hash dll.tmp: e8514a2372172b4975f77bf69d5e8b7708cfa60157b064fcab13d7a62 Loader
File hash dll2.tmp: 248ded4723e9f5da793e5e42d1ba7c2293dd704718f149b84b3b9b81 Loader
File hash dll3.tmp: 3c509ec732979d8c91009d2c9f898bea81f3fc4064c3c56576257f61f9 Loader
File hash dll3.tmp: 55640ad319208915593db8ad43724dddf6e6e17fc6b0014affa69c90f Loader
File hash dll3.tmp: c1faaff24d58af798c77d34405379df0a9e883e5bd1100a86d4c3e001 Loader
File hash dll3.tmp: f50a01ae446adfcaaddffe215abd94b5643211e83d52acf5de540abf9f Loader
File hash test1.txt: 6cdc895eda4847f700d6f82fa2e3a8c72c10da1e16455985df8553721 Loader
File hash TMI003.db: d14214e95c9d1ea850e508dfe27928494f2155a7597e4ea0bad9f706 Part of downloader
File hash TMI100.db: 131c27c3dce040979044ac1d363050c5d226af76aef1454bbf87c7193 Part of downloader
File hash TMI100.db: 1aaf59f05bb724d501cc9bcd6642ab8fd7347cf274d46c24719c9dced Part of downloader
File hash TMI100.db: 22de84e8f29cba932cf65cf4dc1d333cb8b2e468204f97030712bee32 Part of downloader
File hash TMI100.db: 3e2bc0bd2eb84282086cc5946673b22414a16e982402f1f05ea57059 Part of downloader
File hash TMI100.db: 43d597783af656a35184021f5e20686896463a1712f9216e0217a2ca1 Part of downloader
File hash TMI100.db: 50ebf107d522326c9a9db8821fe3263aa5136964faaf5dd183657bbb5 Part of downloader
File hash TMI100.db: afca3bb9fb8d7a4ab4ceb9707f6d9a17352ccfb8ece83c68b01fbb4198 Part of downloader
File hash TMI100.db: deba513e2dc52a2931e61f5ac6d550a7938c1f7f63f661867c09d6141 Part of downloader
File hash TMI210.db: 18683bba19695d325372d195634afd2f76b14896ba68225ba51ea5a0 Part of downloader
File hash TMI210.db: 45b2ba7c7a39817e1421f2abe2f869fa16af9651a6c863ac59683268f Part of downloader
File hash TMI320.db: 555360fb918b959176d669ef0ed40ec0b5ee57005fc625109891a16d Part of downloader
File hash TMI320.db: 771a47120b935e218322046e838347d722d265b91f1afdef91194a5b Part of downloader
File hash TMI400.db: 002e1207b96361fc4d53b10621225d61700003241fa38caacb411384 Part of downloader
File hash TMI400.db: 0120a6396952aec3f05ec0b0efe25e2a1b73545d55d74a3ac0bcd359 Part of downloader
File hash TMI400.db: 23b37d2ebe683cec3b145b6f2234ee728b99228cf3774399fcfad9502 Part of downloader
File hash TMI400.db: 7b297f18ece81e87608e158288cc9c06cb9f4a8f1b2d2256aecf7bba8 Part of downloader
File hash TMI400.db: 8f08ead23767e1e4389927c40af167122b477ad17a98d388c863342d Part of downloader
File hash TMI400.db: 9789d80077998010c47a6a02ef1241eab11b69d667de8751b1e93fed Part of downloader
File hash TMI400.db: a18b5a78143f004f33aafad998b518ad9ee4dbdec44817a6e9b570e7 Part of downloader
File hash TMI400.db: a8bee6c4a5860b0ae08a984d2a6d62c13d3e91d9514262998924d2e Part of downloader
File hash .rar: 151b2dc70d141c12a33d8e45a80659fc53a71734e27233326bff150a RAR archive
File hash EncodedFile.tmp: e5f2c7068ade7b87d24c3b94bc749c351d53609f5fcaa48dce06234be SpyGlace v3.1.15
File hash sdll.tmp: 9394627e9c44cf2226ddf50012e5cf47ccf7d3bd8afa2395c635a9363 SpyGlace v3.1.15
File hash sdll.tmp: add013bf7ffc8a89789a7fd0ae0ff799c620af9b2755b214880b6a5676 SpyGlace v3.1.15
File hash sdll.tmp: c86f319f64d25f23ac29d9b53c9764f06a150634ee8e2d836424d460e SpyGlace v3.1.15
File hash test2.txt: 669002654c264191d4660fbf757860d930175649735f81370b9f1af36 SpyGlace v3.1.17
File hash test2.txt: 3f67b777660241a1afc39f2ec388cac933a9eb31b3a34bddd12e39e6 SpyGlace v3.1.18
File hash test2.txt: 7c3d0bebd263d3529132f2299de55a7801bf3ff40c833b13838be7a98 SpyGlace v3.1.18
File hash test2.txt: 86c49174a032ebbba6aeb1541e2aa84da0933b2eac3976f8705451c SpyGlace v3.1.18
File hash test2.txt: b3f0d48506ff868ba145c9dcad7622bc37b723155648053ce2e2e73d SpyGlace v3.1.18
File hash test2.txt: c9295c923da64738b93ff1827a39a5cb8f6c71eab060de416c8175a4a SpyGlace v3.1.18

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection appeared first on Cyber Security News.






Tushar Subhra Dutta





Go to cyber-security-news





Posted

in

, ,

by