Japan's national CERT is warning that the espionage crew it tracks as APT-C-60 is still breaking into Japanese organisations, and has quietly retooled its attacks to hide inside the same developer platforms that IT teams trust every day.
In a new analysis, JPCERT/CC researcher Yuma Masubuchi reports that the group is delivering its signature SpyGlace backdoor through spear-phishing emails, but has moved much of its infrastructure onto legitimate services including GitHub, GitLab, jsDelivr and Codeberg, plus Proton Drive for the initial lure.
How the attack works
The intrusion starts with a targeted email carrying a Proton Drive link, or in some cases a file attached directly, that leads the victim to a RAR archive. Inside is a Windows shortcut (LNK) file. When opened, the LNK abuses the built in mshta.exe program to run JavaScript hidden inside the shortcut itself, a technique that lets the attacker operate through trusted Windows tools rather than obvious malware. That script pulls down a disguised text file from the jsDelivr content network, decodes it, and then uses a legitimate copy of git.exe to run the next stage, assembling a downloader from several small database files.
The downloader reaches out to attacker controlled repositories on GitHub and the other services to fetch additional loaders and, ultimately, SpyGlace. JPCERT observed SpyGlace versions 3.1.15, 3.1.17 and 3.1.18 in these attacks, with no major change in capability from earlier builds.
Why it matters
The shift is deliberate. Developer platforms and CDNs are almost always allowed through corporate firewalls, so traffic to GitHub or jsDelivr blends into normal engineering activity and is hard to block on destination alone. It is the same trusted-service abuse IntelFusions has seen in other campaigns against Japan, including malware that hid its command channel on a public blockchain and a signed-driver attack aimed at Japanese victims. Full background on the group sits on our APT-C-60 profile.
What to watch for
Defenders should treat cloud storage links in unexpected emails, and LNK files delivered inside RAR archives, as high risk. Monitoring for git.exe and mshta.exe launched from user download folders, and for outbound connections that fetch executable content from code repositories, can surface this activity even when the destination looks benign.
Indicators (defanged)
SpyGlace command and control: 31[.]58[.]136[.]207, 154[.]18[.]239[.]209, 173[.]234[.]11[.]141, 185[.]18[.]222[.]241, 213[.]111[.]158[.]200, 213[.]111[.]158[.]201 and 213[.]111[.]158[.]216. Staging URL: hxxps://cdn[.]jsdelivr[.]net/gh/mei1990789/class125/. Spear-phishing senders: asako[.]t1011[at]protonmail[.]com and ayuko0328[at]protonmail[.]com. JPCERT's report includes a full appendix of file hashes and abused repositories.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.