{ "id": "62180cf7-dd12-42bf-9875-4e7b6b0469c4", "created_at": "2026-04-06T00:10:51.076108Z", "updated_at": "2026-04-10T03:30:11.92375Z", "deleted_at": null, "sha1_hash": "1b2c7380e682db729a055eaba91b01a4c3e71611", "title": "Attack Exploiting Legitimate Service by APT-C-60 - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1190960, "plain_text": "Attack Exploiting Legitimate Service by APT-C-60 - JPCERT/CC\r\nEyes\r\nBy JPCERT/CC\r\nPublished: 2024-12-10 · Archived: 2026-04-02 10:41:07 UTC\r\nJPCERT/CC has confirmed an attack against an organization in Japan in August 2024, which the attack group\r\nAPT-C-60 is likely to have conducted. The attacker sent an email pretending to be a job applicant to the\r\nrecruitment contact point of the targeted organization to infect its devices with malware. This article explains the\r\nattack methods as follows:\r\nFlow of malware infection\r\nAnalysis of the downloader\r\nAnalysis of the backdoor\r\nCampaigns involving the same type of malware\r\nFlow of malware infection\r\nFigure 1 shows an overview of the initial penetration.\r\nFigure 1: Flow of the initial penetration\r\nIn this attack, a targeted email was initially sent, and the victim was led to download a file from a Google Drive\r\nlink in the email. When they access the URL, a VHDX file containing malware is downloaded. VHDX is a file\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 1 of 10\n\nformat used for virtual disks, and by mounting it, you can check the contained files. The VHDX file used in this\r\nattack contained LNK files and decoy documents, as shown in Figure 2.\r\nFigure 2: Contents of the VHDX file\r\nThe LNK file Self-Introduction.lnk executes IPML.txt using the legitimate executable file git.exe (Figure 3).\r\nFigure 3: Contents of Self-Introduction.lnk\r\nIn addition, IPML.txt opens the decoy document and creates SecureBootUEFI.dat, which is a downloader, and\r\nmakes it persistent (Figure 4). The downloader is made persistent through COM hijacking, which registers the\r\npath to SecureBootUEFI.dat in the COM interface ID F82B4EF1-93A9-4DDE-8015-F7950A1A6E31.\r\nFigure 4: Contents of IPML.txt\r\nAnalysis of the downloader\r\nFigure 5 shows an overview of the downloader’s behavior.\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 2 of 10\n\nFigure 5: Overview of the downloader’s behavior\r\nSecureBootUEFI.dat accesses the legitimate services Bitbucket and StatCounter. The latter one is accessed first,\r\nand it is used by the attacker to check the infected device. After the confirmation, the attacker uploads the\r\ndownloader to Bitbucket. The infected device records its unique information in StatCounter’s referrer, as shown in\r\nFigure 6, and thus the attacker probably recognizes each infected device based on this information. The referrer\r\ncontains the computer name, home directory, and a string that is created by combining the computer name and\r\nuser name, removing all non-alphabetic characters, and then encoding it with XOR 3. After that,\r\nSecureBootUEFI.dat accesses Bitbucket using the URL path containing the encode string included in the referrer,\r\ndownloads Service.dat, decodes it using the XOR key g73qrc4dwx8jt9qmhi4s, saves it to\r\n%Userprofile%\\AppData\\Local\\Microsoft\\Windows\\Shell\\Service.dat, and then executes it.\r\nFigure 6: Flow of SecureBootUEFI.dat’s communication\r\nNext, Service.dat downloads two samples from a different Bitbucket repository than SecureBootUEFI.dat. The\r\ndownloaded samples are cbmp.txt and icon.txt, and they are decoded and saved as cn.dat and sp.dat in\r\n%userprofile%\\appdata\\local\\Microsoft\\windows\\fonts using Base64 and the XOR key\r\nAadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE. After that, through COM hijacking using the COM\r\ninterface ID 7849596a-48ea-486e-8937-a2a3009f31a9 as shown in Figure 7, cn.dat is made persistent.\r\nFigure 7: Making Service.dat permanent\r\nFinally, cn.dat executes sp.dat.\r\nAnalysis of the backdoor\r\nThe backdoor used in this case is called SpyGraceSpyGlace by ESET[1] The configuration file included in the\r\nbackdoor contains version information, and the sample we checked shows the version as v3.1.6.\r\nSpyGraceSpyGlace v3.0 was reported by ThreatBook CTI[2], and we have confirmed that its types of commands,\r\nRC4 keys, AES keys, and other components are identical to those of the samples we confirmed this time. At the\r\nresetting phase of the backdoor, the following is executed.\r\nReset configuration\r\nCreate mutex (905QD4656:H)\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 3 of 10\n\nCheck network connectivity (api.ipfy[.]org)\r\nExecute .exe, .dat, .db, .ext files under %appdata%\\Microsoft\\Vault\\UserProfileRoaming\r\nIn addition, some of the processes in this phase were performed using the initterm function of CRT, and they had\r\nbeen performed before DllMain function was executed.\r\nFigure 8: Initial configuration using initterm function\r\nThe backdoor commands and C2 URLs are listed in Appendix A.\r\nCampaigns involving the same type of malware\r\nFrom August to September 2024, security vendors and others published reports on the same type of malware. [1]\r\n[3] All of these campaigns have common features, such as abuse of legitimate services like Bitbucket and\r\nStatCounter, and malware persistency through COM hijacking. In addition, the decoy documents found in the\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 4 of 10\n\nrecycle bin of the VHDX file used in this attack suggest that similar attacks may have been conducted in East\r\nAsian countries including Japan, South Korea, and China, which corresponds to the countries targeted in the\r\nattacks in other reports.\r\nFigure 9: Example of other decoy documents found in the trash box\r\nIn Closing\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 5 of 10\n\nThis attack needs careful attention because it exploits legitimate services such as Bitbucket and StatCounter, and\r\nalso because it targets East Asian countries including Japan. The samples and C2 servers of this attack are listed in\r\nthe Appendix.\r\nTomoya Kamei\r\n(Translated by Takumi Nakano)\r\nUpdate(Sep 1, 2025)\r\nThe backdoor named by ESET was officially called SpyGlace, not SpyGrace.\r\nReferences\r\n[1] ESET Research: Spy group exploits WPS Office zero day; analysis uncovers a second vulnerability\r\nhttps://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/\r\n[2] ThreatBook CTI: Analysis of APT-C-60 Attack on South Korea https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea\r\n[3] 404 Advanced Threat Intelligence Team: 威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析\r\nhttps://mp.weixin.qq.com/s/qsgzOg-0rZfXEn4Hfj9RLw\r\nAppendix A: Backdoor commands and the URLs for C2\r\nTable 1: Command\r\nCommand Function\r\ncd Move to the specified directory\r\nddir List of the files in the directory\r\nddel Delete file and directory\r\nld Load DLL and call using GetProcAddress\r\nattach Load DLL\r\ndetach Call StopThread for the specified module\r\nproclist Get a list of processes\r\nprocspawn Start process\r\nprockill Stop process\r\ndiskinfo Get disk information\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 6 of 10\n\ndownload Download encrypted file\r\ndownfree Download unencrypted file\r\nscreenupload Upload screenshot\r\nscreenauto Send screenshot automatically\r\nupload Upload file\r\ncmd Remote shell\r\nTable2: C2 URL\r\nC2 URL\r\nPOST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/command.asp\r\nPOST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/update.asp\r\nPOST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/result.asp\r\nPOST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/server.asp\r\nGET http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/listen.asp\r\nAppendix B: C2 information\r\n103.6.244.46\r\n103.187.26.176\r\nhttps[:]//c.statcounter[.]com/12959680/0/f1596509/1/\r\nhttps[:]//c.statcounter[.]com/13025547/0/0a557459/1/\r\nhttps[:]//bitbucket[.]org/hawnbzsd/hawnbzsd/downloads\r\nhttps[:]//bitbucket[.]org/hawnbzsd/hawnbzsd31/downloads\r\nhttps[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/cbmp.txt\r\nhttps[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/icon.txt\r\nhttps[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/rapd.txt\r\nAppendix C: Hash value of malware\r\nfd6c16a31f96e0fd65db5360a8b5c179a32e3b8e\r\n4508d0254431df5a59692d7427537df8a424dbba\r\n7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62\r\nc198971f84a74e972142c6203761b81f8f854d2c\r\n6cf281fc9795d5e94054cfe222994209779d0ba6\r\ncc9cd337b28752b8ba1f41f773a3eac1876d8233\r\n5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3\r\n8abd64e0c4515d27fae4de74841e66cfc4371575\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 7 of 10\n\n3affa67bc7789fd349f8a6c9e28fa1f0c453651f\r\nfadd8a6c816bebe3924e0b4542549f55c5283db8\r\n4589b97225ba3e4a4f382540318fa8ce724132d5\r\n1e5920a6b79a93b1fa8daca32e13d1872da208ee\r\n783cd767b496577038edbe926d008166ebe1ba8c\r\n79e41b93b540f6747d0d2c3a22fd45ab0eac09ab\r\n65300576ba66f199fca182c7002cb6701106f91c\r\nd94448afd4841981b1b49ecf63db3b63cb208853\r\nb1e0abfdaa655cf29b44d5848fab253c43d5350a\r\n33dba9c156f6ceda40aefa059dea6ef19a767ab2\r\n5d3160f01920a6b11e3a23baec1ed9c6d8d37a68\r\n0830ef2fe7813ccf6821cad71a22e4384b4d02b4\r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 8 of 10\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 9 of 10\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nhttps://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html" ], "report_names": [ "APT-C-60.html" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434251, "ts_updated_at": 1775791811, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b2c7380e682db729a055eaba91b01a4c3e71611.pdf", "text": "https://archive.orkl.eu/1b2c7380e682db729a055eaba91b01a4c3e71611.txt", "img": "https://archive.orkl.eu/1b2c7380e682db729a055eaba91b01a4c3e71611.jpg" } }