{"id":14254,"date":"2026-07-13T10:03:39","date_gmt":"2026-07-13T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/spyglace-attacks-abuse-trusted-developer-services-to-evade-network-detection\/"},"modified":"2026-07-13T10:03:39","modified_gmt":"2026-07-13T10:03:39","slug":"spyglace-attacks-abuse-trusted-developer-services-to-evade-network-detection","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/13\/spyglace-attacks-abuse-trusted-developer-services-to-evade-network-detection\/","title":{"rendered":"SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection"},"content":{"rendered":"<p>    SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">SpyGlace has returned in a campaign that hides malicious activity behind online services many companies trust. <\/p>\n<p class=\"wp-block-paragraph\">The operation, linked to APT-C-60, uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The latest activity shows how attackers can turn normal business traffic into cover. A victim may receive a <a href=\"https:\/\/cybersecuritynews.com\/proton-launched-end-to-end-encrypted\/\" data-type=\"post\" data-id=\"69587\" target=\"_blank\" rel=\"noreferrer noopener\">Proton Drive link leading to a RAR archive<\/a>, or a malicious attachment directly in the email. <\/p>\n<p class=\"wp-block-paragraph\">Inside the archive is a Windows shortcut, or LNK file, whose opening begins the infection.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Analysts at JPCERT\/CC identified the campaign while tracking continued APT-C-60 activity against organizations in Japan. <\/p>\n<p class=\"wp-block-paragraph\">They found that the group had changed parts of its entry method and online infrastructure while retaining techniques seen in its 2024 and 2025 operations. <a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a>The concern is not only the SpyGlace payload, but the way the delivery chain blends in. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgXByUY8v540sskKbeaLgEEQmA-jQ-NDquL1X-oRqeoGwNBn619zn8BiIHVgjtEXZYgbt_YtRqSf6p_80akCQmllNzWiIwvTNzVFEQWKb8Fe5toESx9KNya8aQfCKpMHwXmw1hqsv__wWHqZR0f7bacG88PtKBxdxrEqbRN_qvT7NISqrSPSCo0kaOYQdA\/s1600\/Initial%2520access%2520flow%2520%28Source%2520-%2520JPCert%29.webp?ssl=1\" alt=\"Initial access flow (Source - JPCert)\"><figcaption class=\"wp-element-caption\">Initial access flow (Source \u2013 JPCert)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">It relies on standard Windows programs and familiar development platforms, making basic blocking rules less reliable and leaving organizations to spot suspicious behavior rather than simply suspicious destinations.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/blogs.jpcert.or.jp\/en\/2026\/07\/apt-c-60-2026.html\" data-type=\"link\" data-id=\"https:\/\/blogs.jpcert.or.jp\/en\/2026\/07\/apt-c-60-2026.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">JPCERT\/CC\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that it observed SpyGlace versions 3.1.15, 3.1.17, and 3.1.18, with no major functional differences from earlier samples.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-spyglace-attacks-abuse-trusted-developer-services\" class=\"wp-block-heading\"><strong>SpyGlace Attacks Abuse Trusted Developer Services<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The attack starts when a recipient opens the LNK file. The shortcut copies itself and launches mshta.exe, a legitimate Windows component, to run hidden JavaScript stored inside the file. <\/p>\n<p class=\"wp-block-paragraph\">That code downloads a file named contributing1.txt, decodes it, and extracts its contents.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Next, the script uses a legitimate copy of git.exe from the extracted files to run another script. The script rebuilds a downloader from several .db fragments, then uses it to collect more downloaders and loaders before launching SpyGlace. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvyi4CTuW4oMeX4_e72lD9_STI2EI4fW6WjRtj2jgAI1FUe16lnT-VLXY7BMsdqdAusdTW9BiiSjLmxRP6vBLC0GlAtAzUMxkWBa0Y-NPZbjRqCNgww10q1K95keBEphah1GmOO-qK9WMHvHSk9tBC1mnJru1PESiM2AqG70ewobi1pFXV3L7qp5MiOAM\/s1600\/Infection%2520flow%2520after%2520execution%2520of%2520the%2520LNK%2520file%2520%28Source%2520-%2520JPCert%29.webp?ssl=1\" alt=\"Infection flow after execution of the LNK file (Source - JPCert)\"><figcaption class=\"wp-element-caption\">Infection flow after execution of the LNK file (Source \u2013 JPCert)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">This staged process gives the operators several chances to change material without changing the original lure.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">APT-C-60 routed those later downloads through GitHub, GitLab, jsDelivr, and Codeberg. These sites serve developers and content every day, so their traffic can appear harmless in corporate networks. <\/p>\n<p class=\"wp-block-paragraph\">The group had previously used GitHub and Bitbucket, but the broader 2026 mix expands the number of places defenders must investigate.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Using trusted services does not make the activity legitimate. It makes decisions based only on a website name far less useful. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/aligning-it-and-security-teams\/\" data-type=\"post\" data-id=\"108197\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams need to connect a user action<\/a>, such as opening an unexpected archive, with follow-on events including mshta.exe execution, unusual git.exe activity, script creation, and downloads from developer platforms.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-phishing-chain-raises-detection-pressure\" class=\"wp-block-heading\"><strong>Phishing Chain Raises Detection Pressure<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The campaign demonstrates why phishing defenses remain essential even when an organization tightly manages software. <\/p>\n<p class=\"wp-block-paragraph\">The initial email is the point where a routine cloud-storage link becomes a compromise path. Users should avoid opening cloud-storage links in suspicious emails and should treat LNK files inside RAR archives as a serious warning sign.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Mail controls should flag unexpected archives and shortcut files, especially when the message asks a recipient to retrieve content from a cloud drive. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/real-time-endpoint-threat-detection\/\" data-type=\"post\" data-id=\"107414\" target=\"_blank\" rel=\"noreferrer noopener\">Endpoint monitoring should also alert<\/a> on a shortcut that starts mshta.exe or on git.exe being launched from an unusual temporary or extracted location.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Network teams should review access to code-hosting and content-delivery services in the context of the device and process generating it. An employee browsing a project page is different from an LNK-launched script pulling encoded files. <\/p>\n<p class=\"wp-block-paragraph\">This behavior-focused approach can preserve normal work while exposing the sequence used to deliver SpyGlace.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The findings also underline the value of keeping a record of observed infrastructure and file hashes. <\/p>\n<p class=\"wp-block-paragraph\">Blocking or hunting for the indicators below can help identify related activity, but defenders should not rely on them alone because the operators can create new accounts, repositories, files, and delivery links quickly.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">JPCERT\/CC\u2019s account of the 2026 activity shows an attacker refining familiar methods rather than needing a new exploit. <\/p>\n<p class=\"wp-block-paragraph\">For organizations, the practical response is to pair user caution with email, endpoint, and network monitoring that can recognize a malicious chain even when each individual service looks trustworthy.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of compromise (IoCs):-<\/strong><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/844e0907-150a-46a2-8b9a-8be7a6dbf06b\/SpyGlace-Attacks-Abuse-Trusted-Developer-Services-to-Evade-Network-Detection.pdf?AWSAccessKeyId=ASIA2F3EMEYETHECD52K&amp;Signature=OfXDSh0K28b%2Bs9C9Td0K%2FG7UZPQ%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDAaCXVzLWVhc3QtMSJHMEUCIBQOcdVB8gBWQG8VWeI1n0Pv8QNgSnI9Ry0Hq1pAsw9iAiEAkHTnM4OG1pncMRifl%2BkDrt1gOPNSAGAa89GEPxCGobEq%2FAQI%2Bf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDEGmUQ5ZZ1el7N%2FPRCrQBIPw6KFKGQ%2BzN6qovxpGo0XSHkmYhWci%2BVutDzPi1JR9K%2BLbHuRs%2BU0SOyrJDqMtLJFrM%2Froz1Qs9PdrveQ3TjAJK0dBsjSGp1ntI6A8OI571hjVMoMkM8QRrrcr5Q9uYnoRCrX%2B3oqC7dPvR3pYflSEsQgKs%2FUvsZ%2B3f5mt4WvoBCBSvezsq60tN2YoJqKVq8nuCROqA190iXrH%2Br9b%2BlLvBAKeQEOL%2F6YSaBJuSI7KQxhBVmcVQrL89xhsvJJKCWEY3bm0f2rVSKv%2BEoar2ws6VM0waKWSHqLAIVqhVV2oLEY5Uw1eqySKzx3%2FkhLeSlK3%2BDJSTNNFnaebDNWI%2BbI7S8IQ2uyLGS%2B57j3i5HbYsqg3nB9aQKE5AXJWPiNeGi%2BNcnmjQG%2B6HWFZKsF43fRAYgb79du1Zc9TFhcfGd%2FvUxGRsNLJDTuz1%2FPwZIhDHyv30yzDFgtPMvgnMYni%2FUORD59MDPEEh9SuumtZ1xEcM1r4%2BSG6nZpjiVo%2F7so%2BaI8tGE9s%2Fj4u7ouc03fw5FwluTpIEHYL0Hxp%2BC9ZlXmc6bAUl3uEUP%2BG4nicidx4WvXHmqIBf2B0SGdEUXP7vjDiHo9hXItqffkX2NLHveRW5h9TJ8U7HXJlKrZkXwiy01OF4VO2XzQlCT9Mje6eog6NDOHGHTZkZvoCuwjzNdBDy92TmMSR%2BRvotNHkJgI5kpaCNudS%2BDkQnu42gZjynagvmo0BTK9WFMFapIAdP%2BgoIbLeosjgBhqkjLdYw0jrTUxPPC85kzXVijluP1TG3eowsrbS0gY6mAH30K%2B2Lae6XwHvWMREVru%2Frp5agdOqT4QMRHA%2FMU%2BlN9dB1XGk42gqWG68EjDVkRrkFvNmEYO5DtnIupbGkpCGd3QTl8ljN%2B81aCWwtI%2F0ydxNAdYKE2oBvOQ5%2BMOIJUB%2BY0DTrPzoujFiX%2BcGD31QEoOcjfgmPn9SdfLoThdxS%2F%2BbBbFHe%2BS8hRPBmgCZoeRcSBv5D8nRvA%3D%3D&amp;Expires=1783933189\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>C2 server<\/td>\n<td><code>31.58.136.207<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>154.18.239.209<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>173.234.11.141<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>185.18.222.241<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>213.111.158.200<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>213.111.158.201<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>C2 server<\/td>\n<td><code>213.111.158.216<\/code><\/td>\n<td>SpyGlace command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/c.statcounter.com\/1317800507\/f3c27351<\/code><\/td>\n<td>Legitimate service URL abused by the attacker<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/cdn.jsdelivr.net\/gh\/mei1990789\/class125<\/code><\/td>\n<td>Legitimate service URL abused by the attacker<\/td>\n<\/tr>\n<tr>\n<td>Phishing sender<\/td>\n<td><code>asako.t1011@protonmail.com<\/code><\/td>\n<td>Observed spear-phishing sender<\/td>\n<\/tr>\n<tr>\n<td>Phishing sender<\/td>\n<td><code>ayuko0328@protonmail.com<\/code><\/td>\n<td>Observed spear-phishing sender<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/mei1990789\/class125<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/sapphire679\/tblsesarol<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/sapphire689\/dnaluakxith<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/wanib11399\/zjeqopmfith<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/cafes39636\/ngwtaepesf<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/rapefo2905\/rncprjmauw<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/hexif45133\/yedkatinrch<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/jewexo9791\/archibkyof<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/lowege1212\/izrtysherg<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/gixop88415\/glfhvhtzih<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/kapap40675\/fpqtzyofdl<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/cefobe3574\/kojyyvtkqo<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/vogenoc114\/qlofnsayvl<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/bohihef411\/tuikfwoveb<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/waxiyes819\/dymcdbqqen<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/fehijow850\/uywcrcvlnb<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/yefixi3890\/krbgqbmlho<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/github.com\/williams250666\/bluenote554<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/sapphire689\/dnaluakxith<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/cafes39636\/ngwtaepesf<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/rapefo2905\/yedkatinrch<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/lowege1212\/eboralfotj<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/kapap40675\/fpqtzyofdl<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/vogenoc114\/qlofnsayvl<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/waxiyes819\/dymcdbqqen<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/gitlab.com\/yefixi3890\/krbgqbmlho<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/codeberg.org\/ochima9923\/tv9239irfn83<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/codeberg.org\/meca922199\/ertlokefgpokjper2359<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Repository<\/td>\n<td><code>https:\/\/codeberg.org\/Hamilton385673\/eff88e889w33456<\/code><\/td>\n<td>Attacker management repository<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>sapphire679@proton.me<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>sapphire689@proton.me<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>meimei91@protonmail.com<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>rapefo2905@outlook.com<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>jewexo9791@outlook.com<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>Commit email<\/td>\n<td><code>legDevMachine@protonmail.com<\/code><\/td>\n<td>Email address used for commits<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 48bb091e0cab562fe094e0ef6a77b434dba97380c09a707220cbd9ca<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 5e97848bebf521766910d9c8378e98bf7aa1ce4b06aeb6c3f86c31ab<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 60972abf5425c191c81bae117f1dedaea13d39bc52f367d5dff9ad1aa<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 71819a1b856b49e7f194ce60468ed8e5ea925c75d01484f4d28ffcf69<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 83a22d4f61b054bda53a2ea4f506e97d818c7c961d8cd3975c1f2a51<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 866564bb455bb3c9f3e15cbbc1dcaf75c533a224eb96c4b6d6739e11<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: cc2a6a3b4b771aba341293d2321e5f7b70cf517403fe44a58635b043<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: fa53663bfb80e197483e1a1bf123b94fa869e2d7f42b5fdfbff2869589b<\/code><\/td>\n<td>Downloader 1<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>Cached2014.tmp: 6b84eab2aac7754b99d04365a83ec374e3cea99cc3223118a5f8fd541<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp: 0bda4beded9c2923fe16f20b7cbd7baf1a5b7078be5cde715592529a<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp, inst.tmp: a7981dfccd8e4bdc00133dc15b22472c1677d6270826863caa36e7d5<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>a101.dat: 1b25c3d56fdb195b427a9c3bfc1f0e98e77a15322e8d3fc53a18edcc4<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>iconcache.dat: 119ad3dce05b5ef3db5a76655ac050eac51e318f1f31351ac103693a0<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>item.tmp: 0420fd9e5f9961458604909391fb0f1a353c17c986b55fc5722c1b68e<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>item.tmp: 2952d72ad1d44f3d424600b8fa4076794e2e072ab46936012a5fb872<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>job.tmp, akdjfiwnkd.tmp: 3f2f69a8403e6b4e02ebe65448caf6abb8e2fbd1f7636ec71599f2d2d5<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>newjob.tmp: a9fd615fce38756ba6de8994f200e4b846397648138a9a0e6ef3b5952<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>reaconinst.tmp: a4c8a56070fe6f613e79a14554d0a1dba2f70ce2b93319e72972943c<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>wincfg.db, Cached.tmp: c4768d99445128c670a6f848bc69371872e4d6a2160dbe0073e62ffd<\/code><\/td>\n<td>Downloader 2<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>msdic.log: 7aa76237a7686583cc526b9d1a8486a52bd44a448d75ced51e1df4b<\/code><\/td>\n<td>Install script<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>msdic.log: d567af55c97b7a595fcde5082e37a752718044230c16704e24efb430<\/code><\/td>\n<td>Install script<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>basecode.dat: 14d799f7897d25f7cfb4d1c86f43c791b6d778d2efd92b5fac4f65fc472<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>basecode.dat: 16bdde15cbf9190883c146bab495c8be73daff4fff5ffbf86b4ee468471<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>call1.js: 8114e3f213713dbbbacafcd0f62884a7826139b434bb3c77eae8dce65<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>call2.js: ab5aba292c983db324987e9fde2e01fe24a979d1587888fcc7460c94<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>call3.js: b5458541732f91793ef89cc58ec5e46d04bf43985ab4e6dc5ad10b6d<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>call4.js: e6a414a53206e25d061a11e63c7d381ab0eb80cd3d174bd13551e2c<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>call41.js: 1ae423e91f6cd679f9ea5be879b07379633b05cd850c37a8a65cdeaf<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>close.js: 7900c2772680523cadc9fe4e07300d45500191ba64ff5b91573531b1<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>close.js: 94072d60170fc72a528f68b2b3826638dbb7283c8906e8051f53fe16e<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>close.js: ad1c890f458b94683464c4d6d6d41fe63551c2c06ba2a1b8f71d8acb<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>close.js: ffe5853d19be1acfe12bd681c7390d8fa88534a471020e6866a9e7c371<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.dat: 62a879b0d1c1649cc72b2b6f61a8f6bd888625ce6e8a7aefe0a0461e<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 0bf85d9065feb20ee946acf77c985cc7ec78de048ee41d8c5931e0e88<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 21ddfbf726caa6d0f32a6bbce8e619f75c81f884bca48564c7a0e5a84<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 2c98781e39a091b370ebd748b495c45752b2c54cdf2c36814358c8c6<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 5272917261d7091a59e00f9d09cd7eb1d3e111115a5b367f79a66d0d<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 78c108be692f1c45ed1da1988e3c5ac792c832a78d0b6e8e6550763<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: 9706ee93f9b4b8214293e2ca4a68525eccaacfea58b135dcb2ea661a<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>help.js: a1f0e6a30dc9753c5cbc80fd9df50eb44aee5a2349223b915b758af74<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>helpv3.js: 3b7a80fc62eb8b248fd0be0d94c78f1efe2f510499c68865a6d0c4ead<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>helpv4.js: a9287e3452ab09144120ecdd20ed7365de589d5dcad28dcd8e19174<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>helpv5.js: 5ab41cf20315d2ea1385967d588159873a65ef5581a0b78de06c0d86<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>index.js: 131d8f72fde45c5ca1f662c510c3da16fbcd8ff6ef9b9fd893c25a9c8e8<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test.dat: 7d09891e26d56a8bec44c3fe9a5791f3a93e8fa31539951ae6e2c40a<\/code><\/td>\n<td>JavaScript file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>desk.lnk: 2d8def39b76ca17b419e5084832105c0167a171fdcc14eebd0c872cc<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>desk.lnk: fd0c7713520bd19c3e2566e93696532aa7da39a0c5ce1a797b67ce77<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>idx2.lnk: 899ce01e7313f4c1cfcf07cb2456282ded1d6b6c57286762f2914a9d6<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>information.lnk: fa98deb16bd72f2f77349c8c24de674a007a3d1ec8e88dd590791a57<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>ipo6.lnk: 44a4ac119349f525d877728b53fe38453a516881d577679caf08ab69<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>.lnk: 5c3d820e032592f47ffb4850ae0183749199b3e0dca3413cd0c3cb63<\/code><\/td>\n<td>LNK file<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>ndsdll.dat: 5115277eabf2d22d49dcef1e155874387d8e783853bd86debf7ff5858<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp: 2b650e2e2c46a52378aee70fbaff1ce5e832c759c5f937532047f5250<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp: 8a8cabe5f94e7f4c0ccca97f0c361618ec944df03d8b3bfcfdd76a25dd<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp, sta.tmp: f0af281623b422c1d45e7006d78678762341288c05abcb62648ce55c<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile2.tmp: 8ba3997afa07ac60312edf5f2d16357d1532a140081d638a9e465376<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>jj.dll: 86ab5161f761822d16637d4d34b84ca6e1f66cea905aa27510620c9c<\/code><\/td>\n<td>Loader DLL<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll.tmp: 843c4dc402e96ed72d7716d980c99e5dfa222a2a322250b7c3755a0<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll.tmp: 9a19598ea286d5f6fa0b7ff981ba21aff503fb217757f4dfbd496ead018<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll.tmp: e8514a2372172b4975f77bf69d5e8b7708cfa60157b064fcab13d7a62<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll2.tmp: 248ded4723e9f5da793e5e42d1ba7c2293dd704718f149b84b3b9b81<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll3.tmp: 3c509ec732979d8c91009d2c9f898bea81f3fc4064c3c56576257f61f9<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll3.tmp: 55640ad319208915593db8ad43724dddf6e6e17fc6b0014affa69c90f<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll3.tmp: c1faaff24d58af798c77d34405379df0a9e883e5bd1100a86d4c3e001<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>dll3.tmp: f50a01ae446adfcaaddffe215abd94b5643211e83d52acf5de540abf9f<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test1.txt: 6cdc895eda4847f700d6f82fa2e3a8c72c10da1e16455985df8553721<\/code><\/td>\n<td>Loader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI003.db: d14214e95c9d1ea850e508dfe27928494f2155a7597e4ea0bad9f706<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 131c27c3dce040979044ac1d363050c5d226af76aef1454bbf87c7193<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 1aaf59f05bb724d501cc9bcd6642ab8fd7347cf274d46c24719c9dced<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 22de84e8f29cba932cf65cf4dc1d333cb8b2e468204f97030712bee32<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 3e2bc0bd2eb84282086cc5946673b22414a16e982402f1f05ea57059<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 43d597783af656a35184021f5e20686896463a1712f9216e0217a2ca1<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: 50ebf107d522326c9a9db8821fe3263aa5136964faaf5dd183657bbb5<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: afca3bb9fb8d7a4ab4ceb9707f6d9a17352ccfb8ece83c68b01fbb4198<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI100.db: deba513e2dc52a2931e61f5ac6d550a7938c1f7f63f661867c09d6141<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI210.db: 18683bba19695d325372d195634afd2f76b14896ba68225ba51ea5a0<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI210.db: 45b2ba7c7a39817e1421f2abe2f869fa16af9651a6c863ac59683268f<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI320.db: 555360fb918b959176d669ef0ed40ec0b5ee57005fc625109891a16d<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI320.db: 771a47120b935e218322046e838347d722d265b91f1afdef91194a5b<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 002e1207b96361fc4d53b10621225d61700003241fa38caacb411384<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 0120a6396952aec3f05ec0b0efe25e2a1b73545d55d74a3ac0bcd359<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 23b37d2ebe683cec3b145b6f2234ee728b99228cf3774399fcfad9502<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 7b297f18ece81e87608e158288cc9c06cb9f4a8f1b2d2256aecf7bba8<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 8f08ead23767e1e4389927c40af167122b477ad17a98d388c863342d<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: 9789d80077998010c47a6a02ef1241eab11b69d667de8751b1e93fed<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: a18b5a78143f004f33aafad998b518ad9ee4dbdec44817a6e9b570e7<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>TMI400.db: a8bee6c4a5860b0ae08a984d2a6d62c13d3e91d9514262998924d2e<\/code><\/td>\n<td>Part of downloader<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>.rar: 151b2dc70d141c12a33d8e45a80659fc53a71734e27233326bff150a<\/code><\/td>\n<td>RAR archive<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>EncodedFile.tmp: e5f2c7068ade7b87d24c3b94bc749c351d53609f5fcaa48dce06234be<\/code><\/td>\n<td>SpyGlace v3.1.15<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>sdll.tmp: 9394627e9c44cf2226ddf50012e5cf47ccf7d3bd8afa2395c635a9363<\/code><\/td>\n<td>SpyGlace v3.1.15<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>sdll.tmp: add013bf7ffc8a89789a7fd0ae0ff799c620af9b2755b214880b6a5676<\/code><\/td>\n<td>SpyGlace v3.1.15<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>sdll.tmp: c86f319f64d25f23ac29d9b53c9764f06a150634ee8e2d836424d460e<\/code><\/td>\n<td>SpyGlace v3.1.15<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: 669002654c264191d4660fbf757860d930175649735f81370b9f1af36<\/code><\/td>\n<td>SpyGlace v3.1.17<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: 3f67b777660241a1afc39f2ec388cac933a9eb31b3a34bddd12e39e6<\/code><\/td>\n<td>SpyGlace v3.1.18<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: 7c3d0bebd263d3529132f2299de55a7801bf3ff40c833b13838be7a98<\/code><\/td>\n<td>SpyGlace v3.1.18<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: 86c49174a032ebbba6aeb1541e2aa84da0933b2eac3976f8705451c<\/code><\/td>\n<td>SpyGlace v3.1.18<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: b3f0d48506ff868ba145c9dcad7622bc37b723155648053ce2e2e73d<\/code><\/td>\n<td>SpyGlace v3.1.18<\/td>\n<\/tr>\n<tr>\n<td>File hash<\/td>\n<td><code>test2.txt: c9295c923da64738b93ff1827a39a5cb8f6c71eab060de416c8175a4a<\/code><\/td>\n<td>SpyGlace v3.1.18<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong>Prevent critical incidents and financial loss with stronger proactive defense.\u00a0<\/strong><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=feeds+landing&amp;utm_content=ti+feeds+sales&amp;utm_term=070726#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate a live threat feed from 15K SOC Teams<\/a><\/strong>.<\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/spyglace-attacks-abuse-trusted-developer-services\/\">SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/spyglace-attacks-abuse-trusted-developer-services\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SpyGlace Attacks Abuse Trusted Developer Services to Evade Network Detection SpyGlace has returned in a campaign that hides malicious activity behind online services many companies trust. The operation, linked to APT-C-60, uses spear-phishing emails to steer victims toward a booby-trapped archive and then installs malware through a chain of ordinary tools. The latest activity shows [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14254","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14254"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14254"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14254\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}