A classy espionage marketing campaign focusing on recruitment professionals has emerged, with the APT-C-60 risk group weaponizing VHDX recordsdata to compromise organizations.
The risk actors impersonate job seekers in spear-phishing emails despatched to recruitment employees, exploiting belief relationships to ship malicious payloads.
Whereas earlier campaigns directed victims to obtain VHDX recordsdata from Google Drive, current assaults have developed to connect the malicious VHDX file on to emails.
As soon as a sufferer opens the weaponized VHDX file and clicks the embedded LNK file, a malicious script executes by way of Git, a official utility, initiating a multi-stage an infection course of that deploys refined data-stealing malware.
JPCERT analysts recognized this marketing campaign focusing on East Asian areas, significantly Japan, between June and August 2025.
The risk group demonstrates superior operational safety by leveraging official companies like GitHub and statcounter to keep up command-and-control infrastructure.
The assaults showcase technical sophistication by way of multi-layered obfuscation strategies, together with XOR encoding with the important thing “sgznqhtgnghvmzxponum” for preliminary payloads and AES-128-CBC encryption for secondary stage downloads.
The malware identifies compromised machines utilizing quantity serial numbers and laptop names, enabling exact sufferer monitoring.
The an infection chain begins when the LNK file executes gcmd.exe, a official Git element, which runs the script glog.txt saved inside the VHDX file.
This script shows a fabricated resume as a decoy whereas concurrently creating WebClassUser.dat (Downloader1) and registering it within the system registry at HKCUSoftwareClassesCLSID{566296fe-e0e8-475f-ba9c-a31ad31620b1}InProcServer32.
Persistence is established by way of COM hijacking, guaranteeing the malware executes routinely throughout system operations.
Downloader1 communicates with statcounter utilizing specifically crafted referrer headers within the format ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName].
The risk actors monitor these referrer values and add corresponding recordsdata to GitHub repositories. Downloader1 retrieves recordsdata from URLs like https://uncooked.githubusercontent.com/carolab989/class2025/refs/heads/fundamental/[VolumeSerialNumber+ComputerName].txt, which comprise directions for downloading Downloader2.
An infection Mechanism and Payload Deployment
The an infection mechanism employs a cascading deployment technique with a number of encoded layers.
Downloader2 downloads and deploys SpyGlace malware, using dynamic API decision with an encoding scheme combining ADD and XOR operations.
Circulate of malware an infection (Supply – JPCert)
The present model applies XOR 0x05 after ADD 0x04, representing an evolution from earlier variants. Information retrieved by Downloader2 are XOR-decoded utilizing the important thing “AadDDRTaSPtyAG57er#$advert!lDKTOPLTEL78pE” earlier than execution by way of COM hijacking.
SpyGlace variations 3.1.12 by way of 3.1.14 have been noticed implementing complete knowledge exfiltration capabilities by way of 17 distinct instructions.
The malware communicates with command-and-control servers at IP tackle 185.181.230.71 utilizing modified RC4 encryption mixed with BASE64 encoding.
The modified RC4 implementation will increase Key Scheduling Algorithm cycles and performs further XOR operations.
SpyGlace employs a attribute encoding scheme combining single-byte XOR with SUB directions for string obfuscation and API decision.
The obtain command retrieves encrypted recordsdata and decrypts them utilizing AES-128-CBC with the hardcoded key B0747C82C23359D1342B47A669796989 and IV 21A44712685A8BA42985783B67883999, creating recordsdata at %temppercentwcts66889.tmp.
The malware establishes persistence by altering its automated execution path from %publicpercentAccountPicturesDefault in model 3.1.13 to %appdatapercentMicrosoftSystemCertificatesMyCPLs in model 3.1.14.
SpyGlace implements complete surveillance capabilities, together with distant shell entry, file manipulation, course of management, disk enumeration, and automatic screenshot seize by way of the screenupload command, which calls the Clouds.db module at %LocalAppDatapercentMicrosoftWindowsCloudsClouds.db with the export operate mssc1.
Comply with us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
