SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection
SpyGlace has returned in a campaign that hides malicious activity behind online services many companies trust.
The operation, linked to APT-C-60, uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools.
The latest activity shows how attackers can turn normal business traffic into cover. A victim may receive a Proton Drive link leading to a RAR archive, or a malicious attachment directly in the email.
Inside the archive is a Windows shortcut, or LNK file, whose opening begins the infection.
Analysts at JPCERT/CC identified the campaign while tracking continued APT-C-60 activity against organizations in Japan.
They found that the group had changed parts of its entry method and online infrastructure while retaining techniques seen in its 2024 and 2025 operations. The concern is not only the SpyGlace payload, but the way the delivery chain blends in.

It relies on standard Windows programs and familiar development platforms, making basic blocking rules less reliable and leaving organizations to spot suspicious behavior rather than simply suspicious destinations.
JPCERT/CC said in a report shared with Cyber Security News (CSN) that it observed SpyGlace versions 3.1.15, 3.1.17, and 3.1.18, with no major functional differences from earlier samples.
SpyGlace Attacks Abuse Trusted Developer Services
The attack starts when a recipient opens the LNK file. The shortcut copies itself and launches mshta.exe, a legitimate Windows component, to run hidden JavaScript stored inside the file.
That code downloads a file named contributing1.txt, decodes it, and extracts its contents.
Next, the script uses a legitimate copy of git.exe from the extracted files to run another script. The script rebuilds a downloader from several .db fragments, then uses it to collect more downloaders and loaders before launching SpyGlace.

This staged process gives the operators several chances to change material without changing the original lure.
APT-C-60 routed those later downloads through GitHub, GitLab, jsDelivr, and Codeberg. These sites serve developers and content every day, so their traffic can appear harmless in corporate networks.
The group had previously used GitHub and Bitbucket, but the broader 2026 mix expands the number of places defenders must investigate.
Using trusted services does not make the activity legitimate. It makes decisions based only on a website name far less useful.
Security teams need to connect a user action, such as opening an unexpected archive, with follow-on events including mshta.exe execution, unusual git.exe activity, script creation, and downloads from developer platforms.
Phishing Chain Raises Detection Pressure
The campaign demonstrates why phishing defenses remain essential even when an organization tightly manages software.
The initial email is the point where a routine cloud-storage link becomes a compromise path. Users should avoid opening cloud-storage links in suspicious emails and should treat LNK files inside RAR archives as a serious warning sign.
Mail controls should flag unexpected archives and shortcut files, especially when the message asks a recipient to retrieve content from a cloud drive.
Endpoint monitoring should also alert on a shortcut that starts mshta.exe or on git.exe being launched from an unusual temporary or extracted location.
Network teams should review access to code-hosting and content-delivery services in the context of the device and process generating it. An employee browsing a project page is different from an LNK-launched script pulling encoded files.
This behavior-focused approach can preserve normal work while exposing the sequence used to deliver SpyGlace.
The findings also underline the value of keeping a record of observed infrastructure and file hashes.
Blocking or hunting for the indicators below can help identify related activity, but defenders should not rely on them alone because the operators can create new accounts, repositories, files, and delivery links quickly.
JPCERT/CC’s account of the 2026 activity shows an attacker refining familiar methods rather than needing a new exploit.
For organizations, the practical response is to pair user caution with email, endpoint, and network monitoring that can recognize a malicious chain even when each individual service looks trustworthy.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| C2 server | 31.58.136.207 |
SpyGlace command-and-control infrastructure |
| C2 server | 154.18.239.209 |
SpyGlace command-and-control infrastructure |
| C2 server | 173.234.11.141 |
SpyGlace command-and-control infrastructure |
| C2 server | 185.18.222.241 |
SpyGlace command-and-control infrastructure |
| C2 server | 213.111.158.200 |
SpyGlace command-and-control infrastructure |
| C2 server | 213.111.158.201 |
SpyGlace command-and-control infrastructure |
| C2 server | 213.111.158.216 |
SpyGlace command-and-control infrastructure |
| URL | https://c.statcounter.com/1317800507/f3c27351 |
Legitimate service URL abused by the attacker |
| URL | https://cdn.jsdelivr.net/gh/mei1990789/class125 |
Legitimate service URL abused by the attacker |
| Phishing sender | [email protected] |
Observed spear-phishing sender |
| Phishing sender | [email protected] |
Observed spear-phishing sender |
| Repository | https://github.com/mei1990789/class125 |
Attacker management repository |
| Repository | https://github.com/sapphire679/tblsesarol |
Attacker management repository |
| Repository | https://github.com/sapphire689/dnaluakxith |
Attacker management repository |
| Repository | https://github.com/wanib11399/zjeqopmfith |
Attacker management repository |
| Repository | https://github.com/cafes39636/ngwtaepesf |
Attacker management repository |
| Repository | https://github.com/rapefo2905/rncprjmauw |
Attacker management repository |
| Repository | https://github.com/hexif45133/yedkatinrch |
Attacker management repository |
| Repository | https://github.com/jewexo9791/archibkyof |
Attacker management repository |
| Repository | https://github.com/lowege1212/izrtysherg |
Attacker management repository |
| Repository | https://github.com/gixop88415/glfhvhtzih |
Attacker management repository |
| Repository | https://github.com/kapap40675/fpqtzyofdl |
Attacker management repository |
| Repository | https://github.com/cefobe3574/kojyyvtkqo |
Attacker management repository |
| Repository | https://github.com/vogenoc114/qlofnsayvl |
Attacker management repository |
| Repository | https://github.com/bohihef411/tuikfwoveb |
Attacker management repository |
| Repository | https://github.com/waxiyes819/dymcdbqqen |
Attacker management repository |
| Repository | https://github.com/fehijow850/uywcrcvlnb |
Attacker management repository |
| Repository | https://github.com/yefixi3890/krbgqbmlho |
Attacker management repository |
| Repository | https://github.com/williams250666/bluenote554 |
Attacker management repository |
| Repository | https://gitlab.com/sapphire689/dnaluakxith |
Attacker management repository |
| Repository | https://gitlab.com/cafes39636/ngwtaepesf |
Attacker management repository |
| Repository | https://gitlab.com/rapefo2905/yedkatinrch |
Attacker management repository |
| Repository | https://gitlab.com/lowege1212/eboralfotj |
Attacker management repository |
| Repository | https://gitlab.com/kapap40675/fpqtzyofdl |
Attacker management repository |
| Repository | https://gitlab.com/vogenoc114/qlofnsayvl |
Attacker management repository |
| Repository | https://gitlab.com/waxiyes819/dymcdbqqen |
Attacker management repository |
| Repository | https://gitlab.com/yefixi3890/krbgqbmlho |
Attacker management repository |
| Repository | https://codeberg.org/ochima9923/tv9239irfn83 |
Attacker management repository |
| Repository | https://codeberg.org/meca922199/ertlokefgpokjper2359 |
Attacker management repository |
| Repository | https://codeberg.org/Hamilton385673/eff88e889w33456 |
Attacker management repository |
| Commit email | [email protected] |
Email address used for commits |
| Commit email | [email protected] |
Email address used for commits |
| Commit email | [email protected] |
Email address used for commits |
| Commit email | [email protected] |
Email address used for commits |
| Commit email | [email protected] |
Email address used for commits |
| Commit email | [email protected] |
Email address used for commits |
| File hash | iconcache.dat: 48bb091e0cab562fe094e0ef6a77b434dba97380c09a707220cbd9ca |
Downloader 1 |
| File hash | iconcache.dat: 5e97848bebf521766910d9c8378e98bf7aa1ce4b06aeb6c3f86c31ab |
Downloader 1 |
| File hash | iconcache.dat: 60972abf5425c191c81bae117f1dedaea13d39bc52f367d5dff9ad1aa |
Downloader 1 |
| File hash | iconcache.dat: 71819a1b856b49e7f194ce60468ed8e5ea925c75d01484f4d28ffcf69 |
Downloader 1 |
| File hash | iconcache.dat: 83a22d4f61b054bda53a2ea4f506e97d818c7c961d8cd3975c1f2a51 |
Downloader 1 |
| File hash | iconcache.dat: 866564bb455bb3c9f3e15cbbc1dcaf75c533a224eb96c4b6d6739e11 |
Downloader 1 |
| File hash | iconcache.dat: cc2a6a3b4b771aba341293d2321e5f7b70cf517403fe44a58635b043 |
Downloader 1 |
| File hash | iconcache.dat: fa53663bfb80e197483e1a1bf123b94fa869e2d7f42b5fdfbff2869589b |
Downloader 1 |
| File hash | Cached2014.tmp: 6b84eab2aac7754b99d04365a83ec374e3cea99cc3223118a5f8fd541 |
Downloader 2 |
| File hash | EncodedFile.tmp: 0bda4beded9c2923fe16f20b7cbd7baf1a5b7078be5cde715592529a |
Downloader 2 |
| File hash | EncodedFile.tmp, inst.tmp: a7981dfccd8e4bdc00133dc15b22472c1677d6270826863caa36e7d5 |
Downloader 2 |
| File hash | a101.dat: 1b25c3d56fdb195b427a9c3bfc1f0e98e77a15322e8d3fc53a18edcc4 |
Downloader 2 |
| File hash | iconcache.dat: 119ad3dce05b5ef3db5a76655ac050eac51e318f1f31351ac103693a0 |
Downloader 2 |
| File hash | item.tmp: 0420fd9e5f9961458604909391fb0f1a353c17c986b55fc5722c1b68e |
Downloader 2 |
| File hash | item.tmp: 2952d72ad1d44f3d424600b8fa4076794e2e072ab46936012a5fb872 |
Downloader 2 |
| File hash | job.tmp, akdjfiwnkd.tmp: 3f2f69a8403e6b4e02ebe65448caf6abb8e2fbd1f7636ec71599f2d2d5 |
Downloader 2 |
| File hash | newjob.tmp: a9fd615fce38756ba6de8994f200e4b846397648138a9a0e6ef3b5952 |
Downloader 2 |
| File hash | reaconinst.tmp: a4c8a56070fe6f613e79a14554d0a1dba2f70ce2b93319e72972943c |
Downloader 2 |
| File hash | wincfg.db, Cached.tmp: c4768d99445128c670a6f848bc69371872e4d6a2160dbe0073e62ffd |
Downloader 2 |
| File hash | msdic.log: 7aa76237a7686583cc526b9d1a8486a52bd44a448d75ced51e1df4b |
Install script |
| File hash | msdic.log: d567af55c97b7a595fcde5082e37a752718044230c16704e24efb430 |
Install script |
| File hash | basecode.dat: 14d799f7897d25f7cfb4d1c86f43c791b6d778d2efd92b5fac4f65fc472 |
JavaScript file |
| File hash | basecode.dat: 16bdde15cbf9190883c146bab495c8be73daff4fff5ffbf86b4ee468471 |
JavaScript file |
| File hash | call1.js: 8114e3f213713dbbbacafcd0f62884a7826139b434bb3c77eae8dce65 |
JavaScript file |
| File hash | call2.js: ab5aba292c983db324987e9fde2e01fe24a979d1587888fcc7460c94 |
JavaScript file |
| File hash | call3.js: b5458541732f91793ef89cc58ec5e46d04bf43985ab4e6dc5ad10b6d |
JavaScript file |
| File hash | call4.js: e6a414a53206e25d061a11e63c7d381ab0eb80cd3d174bd13551e2c |
JavaScript file |
| File hash | call41.js: 1ae423e91f6cd679f9ea5be879b07379633b05cd850c37a8a65cdeaf |
JavaScript file |
| File hash | close.js: 7900c2772680523cadc9fe4e07300d45500191ba64ff5b91573531b1 |
JavaScript file |
| File hash | close.js: 94072d60170fc72a528f68b2b3826638dbb7283c8906e8051f53fe16e |
JavaScript file |
| File hash | close.js: ad1c890f458b94683464c4d6d6d41fe63551c2c06ba2a1b8f71d8acb |
JavaScript file |
| File hash | close.js: ffe5853d19be1acfe12bd681c7390d8fa88534a471020e6866a9e7c371 |
JavaScript file |
| File hash | help.dat: 62a879b0d1c1649cc72b2b6f61a8f6bd888625ce6e8a7aefe0a0461e |
JavaScript file |
| File hash | help.js: 0bf85d9065feb20ee946acf77c985cc7ec78de048ee41d8c5931e0e88 |
JavaScript file |
| File hash | help.js: 21ddfbf726caa6d0f32a6bbce8e619f75c81f884bca48564c7a0e5a84 |
JavaScript file |
| File hash | help.js: 2c98781e39a091b370ebd748b495c45752b2c54cdf2c36814358c8c6 |
JavaScript file |
| File hash | help.js: 5272917261d7091a59e00f9d09cd7eb1d3e111115a5b367f79a66d0d |
JavaScript file |
| File hash | help.js: 78c108be692f1c45ed1da1988e3c5ac792c832a78d0b6e8e6550763 |
JavaScript file |
| File hash | help.js: 9706ee93f9b4b8214293e2ca4a68525eccaacfea58b135dcb2ea661a |
JavaScript file |
| File hash | help.js: a1f0e6a30dc9753c5cbc80fd9df50eb44aee5a2349223b915b758af74 |
JavaScript file |
| File hash | helpv3.js: 3b7a80fc62eb8b248fd0be0d94c78f1efe2f510499c68865a6d0c4ead |
JavaScript file |
| File hash | helpv4.js: a9287e3452ab09144120ecdd20ed7365de589d5dcad28dcd8e19174 |
JavaScript file |
| File hash | helpv5.js: 5ab41cf20315d2ea1385967d588159873a65ef5581a0b78de06c0d86 |
JavaScript file |
| File hash | index.js: 131d8f72fde45c5ca1f662c510c3da16fbcd8ff6ef9b9fd893c25a9c8e8 |
JavaScript file |
| File hash | test.dat: 7d09891e26d56a8bec44c3fe9a5791f3a93e8fa31539951ae6e2c40a |
JavaScript file |
| File hash | desk.lnk: 2d8def39b76ca17b419e5084832105c0167a171fdcc14eebd0c872cc |
LNK file |
| File hash | desk.lnk: fd0c7713520bd19c3e2566e93696532aa7da39a0c5ce1a797b67ce77 |
LNK file |
| File hash | idx2.lnk: 899ce01e7313f4c1cfcf07cb2456282ded1d6b6c57286762f2914a9d6 |
LNK file |
| File hash | information.lnk: fa98deb16bd72f2f77349c8c24de674a007a3d1ec8e88dd590791a57 |
LNK file |
| File hash | ipo6.lnk: 44a4ac119349f525d877728b53fe38453a516881d577679caf08ab69 |
LNK file |
| File hash | .lnk: 5c3d820e032592f47ffb4850ae0183749199b3e0dca3413cd0c3cb63 |
LNK file |
| File hash | ndsdll.dat: 5115277eabf2d22d49dcef1e155874387d8e783853bd86debf7ff5858 |
Loader |
| File hash | EncodedFile.tmp: 2b650e2e2c46a52378aee70fbaff1ce5e832c759c5f937532047f5250 |
Loader |
| File hash | EncodedFile.tmp: 8a8cabe5f94e7f4c0ccca97f0c361618ec944df03d8b3bfcfdd76a25dd |
Loader |
| File hash | EncodedFile.tmp, sta.tmp: f0af281623b422c1d45e7006d78678762341288c05abcb62648ce55c |
Loader |
| File hash | EncodedFile2.tmp: 8ba3997afa07ac60312edf5f2d16357d1532a140081d638a9e465376 |
Loader |
| File hash | jj.dll: 86ab5161f761822d16637d4d34b84ca6e1f66cea905aa27510620c9c |
Loader DLL |
| File hash | dll.tmp: 843c4dc402e96ed72d7716d980c99e5dfa222a2a322250b7c3755a0 |
Loader |
| File hash | dll.tmp: 9a19598ea286d5f6fa0b7ff981ba21aff503fb217757f4dfbd496ead018 |
Loader |
| File hash | dll.tmp: e8514a2372172b4975f77bf69d5e8b7708cfa60157b064fcab13d7a62 |
Loader |
| File hash | dll2.tmp: 248ded4723e9f5da793e5e42d1ba7c2293dd704718f149b84b3b9b81 |
Loader |
| File hash | dll3.tmp: 3c509ec732979d8c91009d2c9f898bea81f3fc4064c3c56576257f61f9 |
Loader |
| File hash | dll3.tmp: 55640ad319208915593db8ad43724dddf6e6e17fc6b0014affa69c90f |
Loader |
| File hash | dll3.tmp: c1faaff24d58af798c77d34405379df0a9e883e5bd1100a86d4c3e001 |
Loader |
| File hash | dll3.tmp: f50a01ae446adfcaaddffe215abd94b5643211e83d52acf5de540abf9f |
Loader |
| File hash | test1.txt: 6cdc895eda4847f700d6f82fa2e3a8c72c10da1e16455985df8553721 |
Loader |
| File hash | TMI003.db: d14214e95c9d1ea850e508dfe27928494f2155a7597e4ea0bad9f706 |
Part of downloader |
| File hash | TMI100.db: 131c27c3dce040979044ac1d363050c5d226af76aef1454bbf87c7193 |
Part of downloader |
| File hash | TMI100.db: 1aaf59f05bb724d501cc9bcd6642ab8fd7347cf274d46c24719c9dced |
Part of downloader |
| File hash | TMI100.db: 22de84e8f29cba932cf65cf4dc1d333cb8b2e468204f97030712bee32 |
Part of downloader |
| File hash | TMI100.db: 3e2bc0bd2eb84282086cc5946673b22414a16e982402f1f05ea57059 |
Part of downloader |
| File hash | TMI100.db: 43d597783af656a35184021f5e20686896463a1712f9216e0217a2ca1 |
Part of downloader |
| File hash | TMI100.db: 50ebf107d522326c9a9db8821fe3263aa5136964faaf5dd183657bbb5 |
Part of downloader |
| File hash | TMI100.db: afca3bb9fb8d7a4ab4ceb9707f6d9a17352ccfb8ece83c68b01fbb4198 |
Part of downloader |
| File hash | TMI100.db: deba513e2dc52a2931e61f5ac6d550a7938c1f7f63f661867c09d6141 |
Part of downloader |
| File hash | TMI210.db: 18683bba19695d325372d195634afd2f76b14896ba68225ba51ea5a0 |
Part of downloader |
| File hash | TMI210.db: 45b2ba7c7a39817e1421f2abe2f869fa16af9651a6c863ac59683268f |
Part of downloader |
| File hash | TMI320.db: 555360fb918b959176d669ef0ed40ec0b5ee57005fc625109891a16d |
Part of downloader |
| File hash | TMI320.db: 771a47120b935e218322046e838347d722d265b91f1afdef91194a5b |
Part of downloader |
| File hash | TMI400.db: 002e1207b96361fc4d53b10621225d61700003241fa38caacb411384 |
Part of downloader |
| File hash | TMI400.db: 0120a6396952aec3f05ec0b0efe25e2a1b73545d55d74a3ac0bcd359 |
Part of downloader |
| File hash | TMI400.db: 23b37d2ebe683cec3b145b6f2234ee728b99228cf3774399fcfad9502 |
Part of downloader |
| File hash | TMI400.db: 7b297f18ece81e87608e158288cc9c06cb9f4a8f1b2d2256aecf7bba8 |
Part of downloader |
| File hash | TMI400.db: 8f08ead23767e1e4389927c40af167122b477ad17a98d388c863342d |
Part of downloader |
| File hash | TMI400.db: 9789d80077998010c47a6a02ef1241eab11b69d667de8751b1e93fed |
Part of downloader |
| File hash | TMI400.db: a18b5a78143f004f33aafad998b518ad9ee4dbdec44817a6e9b570e7 |
Part of downloader |
| File hash | TMI400.db: a8bee6c4a5860b0ae08a984d2a6d62c13d3e91d9514262998924d2e |
Part of downloader |
| File hash | .rar: 151b2dc70d141c12a33d8e45a80659fc53a71734e27233326bff150a |
RAR archive |
| File hash | EncodedFile.tmp: e5f2c7068ade7b87d24c3b94bc749c351d53609f5fcaa48dce06234be |
SpyGlace v3.1.15 |
| File hash | sdll.tmp: 9394627e9c44cf2226ddf50012e5cf47ccf7d3bd8afa2395c635a9363 |
SpyGlace v3.1.15 |
| File hash | sdll.tmp: add013bf7ffc8a89789a7fd0ae0ff799c620af9b2755b214880b6a5676 |
SpyGlace v3.1.15 |
| File hash | sdll.tmp: c86f319f64d25f23ac29d9b53c9764f06a150634ee8e2d836424d460e |
SpyGlace v3.1.15 |
| File hash | test2.txt: 669002654c264191d4660fbf757860d930175649735f81370b9f1af36 |
SpyGlace v3.1.17 |
| File hash | test2.txt: 3f67b777660241a1afc39f2ec388cac933a9eb31b3a34bddd12e39e6 |
SpyGlace v3.1.18 |
| File hash | test2.txt: 7c3d0bebd263d3529132f2299de55a7801bf3ff40c833b13838be7a98 |
SpyGlace v3.1.18 |
| File hash | test2.txt: 86c49174a032ebbba6aeb1541e2aa84da0933b2eac3976f8705451c |
SpyGlace v3.1.18 |
| File hash | test2.txt: b3f0d48506ff868ba145c9dcad7622bc37b723155648053ce2e2e73d |
SpyGlace v3.1.18 |
| File hash | test2.txt: c9295c923da64738b93ff1827a39a5cb8f6c71eab060de416c8175a4a |
SpyGlace v3.1.18 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news