Attack Exploiting Legitimate Service by APT-C-60 - JPCERT/CC
Eyes
By JPCERT/CC
Published: 2024-12-10 · Archived: 2026-04-02 10:41:07 UTC
JPCERT/CC has confirmed an attack against an organization in Japan in August 2024, which the attack group
APT-C-60 is likely to have conducted. The attacker sent an email pretending to be a job applicant to the
recruitment contact point of the targeted organization to infect its devices with malware. This article explains the
attack methods as follows:
Flow of malware infection
Analysis of the downloader
Analysis of the backdoor
Campaigns involving the same type of malware
Flow of malware infection
Figure 1 shows an overview of the initial penetration.
Figure 1: Flow of the initial penetration
In this attack, a targeted email was initially sent, and the victim was led to download a file from a Google Drive
link in the email. When they access the URL, a VHDX file containing malware is downloaded. VHDX is a file
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 1 of 10

format used for virtual disks, and by mounting it, you can check the contained files. The VHDX file used in this
attack contained LNK files and decoy documents, as shown in Figure 2.
Figure 2: Contents of the VHDX file
The LNK file Self-Introduction.lnk executes IPML.txt using the legitimate executable file git.exe (Figure 3).
Figure 3: Contents of Self-Introduction.lnk
In addition, IPML.txt opens the decoy document and creates SecureBootUEFI.dat, which is a downloader, and
makes it persistent (Figure 4). The downloader is made persistent through COM hijacking, which registers the
path to SecureBootUEFI.dat in the COM interface ID F82B4EF1-93A9-4DDE-8015-F7950A1A6E31.
Figure 4: Contents of IPML.txt
Analysis of the downloader
Figure 5 shows an overview of the downloader’s behavior.
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 2 of 10

Figure 5: Overview of the downloader’s behavior
SecureBootUEFI.dat accesses the legitimate services Bitbucket and StatCounter. The latter one is accessed first,
and it is used by the attacker to check the infected device. After the confirmation, the attacker uploads the
downloader to Bitbucket. The infected device records its unique information in StatCounter’s referrer, as shown in
Figure 6, and thus the attacker probably recognizes each infected device based on this information. The referrer
contains the computer name, home directory, and a string that is created by combining the computer name and
user name, removing all non-alphabetic characters, and then encoding it with XOR 3. After that,
SecureBootUEFI.dat accesses Bitbucket using the URL path containing the encode string included in the referrer,
downloads Service.dat, decodes it using the XOR key g73qrc4dwx8jt9qmhi4s, saves it to
%Userprofile%\AppData\Local\Microsoft\Windows\Shell\Service.dat, and then executes it.
Figure 6: Flow of SecureBootUEFI.dat’s communication
Next, Service.dat downloads two samples from a different Bitbucket repository than SecureBootUEFI.dat. The
downloaded samples are cbmp.txt and icon.txt, and they are decoded and saved as cn.dat and sp.dat in
%userprofile%\appdata\local\Microsoft\windows\fonts using Base64 and the XOR key
AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE. After that, through COM hijacking using the COM
interface ID 7849596a-48ea-486e-8937-a2a3009f31a9 as shown in Figure 7, cn.dat is made persistent.
Figure 7: Making Service.dat permanent
Finally, cn.dat executes sp.dat.
Analysis of the backdoor
The backdoor used in this case is called SpyGraceSpyGlace by ESET[1] The configuration file included in the
backdoor contains version information, and the sample we checked shows the version as v3.1.6.
SpyGraceSpyGlace v3.0 was reported by ThreatBook CTI[2], and we have confirmed that its types of commands,
RC4 keys, AES keys, and other components are identical to those of the samples we confirmed this time. At the
resetting phase of the backdoor, the following is executed.
Reset configuration
Create mutex (905QD4656:H)
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 3 of 10

Check network connectivity (api.ipfy[.]org)
Execute .exe, .dat, .db, .ext files under %appdata%\Microsoft\Vault\UserProfileRoaming
In addition, some of the processes in this phase were performed using the initterm function of CRT, and they had
been performed before DllMain function was executed.
Figure 8: Initial configuration using initterm function
The backdoor commands and C2 URLs are listed in Appendix A.
Campaigns involving the same type of malware
From August to September 2024, security vendors and others published reports on the same type of malware. [1]
[3] All of these campaigns have common features, such as abuse of legitimate services like Bitbucket and
StatCounter, and malware persistency through COM hijacking. In addition, the decoy documents found in the
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 4 of 10

recycle bin of the VHDX file used in this attack suggest that similar attacks may have been conducted in East
Asian countries including Japan, South Korea, and China, which corresponds to the countries targeted in the
attacks in other reports.
Figure 9: Example of other decoy documents found in the trash box
In Closing
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 5 of 10

This attack needs careful attention because it exploits legitimate services such as Bitbucket and StatCounter, and
also because it targets East Asian countries including Japan. The samples and C2 servers of this attack are listed in
the Appendix.
Tomoya Kamei
(Translated by Takumi Nakano)
Update(Sep 1, 2025)
The backdoor named by ESET was officially called SpyGlace, not SpyGrace.
References
[1] ESET Research: Spy group exploits WPS Office zero day; analysis uncovers a second vulnerability
https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/
[2] ThreatBook CTI: Analysis of APT-C-60 Attack on South Korea https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
[3] 404 Advanced Threat Intelligence Team: 威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析
https://mp.weixin.qq.com/s/qsgzOg-0rZfXEn4Hfj9RLw
Appendix A: Backdoor commands and the URLs for C2
Table 1: Command
Command Function
cd Move to the specified directory
ddir List of the files in the directory
ddel Delete file and directory
ld Load DLL and call using GetProcAddress
attach Load DLL
detach Call StopThread for the specified module
proclist Get a list of processes
procspawn Start process
prockill Stop process
diskinfo Get disk information
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 6 of 10

download Download encrypted file
downfree Download unencrypted file
screenupload Upload screenshot
screenauto Send screenshot automatically
upload Upload file
cmd Remote shell
Table2: C2 URL
C2 URL
POST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/command.asp
POST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/update.asp
POST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/result.asp
POST http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/server.asp
GET http[:]//103.187.26[.]176/a78550e6101938c7f5e8bfb170db4db2/listen.asp
Appendix B: C2 information
103.6.244.46
103.187.26.176
https[:]//c.statcounter[.]com/12959680/0/f1596509/1/
https[:]//c.statcounter[.]com/13025547/0/0a557459/1/
https[:]//bitbucket[.]org/hawnbzsd/hawnbzsd/downloads
https[:]//bitbucket[.]org/hawnbzsd/hawnbzsd31/downloads
https[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/cbmp.txt
https[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/icon.txt
https[:]//bitbucket[.]org/ffg84883/3r23ruytgfdxz/raw/8ebddd79bb7ef1b9fcbc1651193b002bfef598fd/rapd.txt
Appendix C: Hash value of malware
fd6c16a31f96e0fd65db5360a8b5c179a32e3b8e
4508d0254431df5a59692d7427537df8a424dbba
7e8aeba19d804b8f2e7bffa7c6e4916cf3dbee62
c198971f84a74e972142c6203761b81f8f854d2c
6cf281fc9795d5e94054cfe222994209779d0ba6
cc9cd337b28752b8ba1f41f773a3eac1876d8233
5ed4d42d0dcc929b7f1d29484b713b3b2dee88e3
8abd64e0c4515d27fae4de74841e66cfc4371575
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 7 of 10

3affa67bc7789fd349f8a6c9e28fa1f0c453651f
fadd8a6c816bebe3924e0b4542549f55c5283db8
4589b97225ba3e4a4f382540318fa8ce724132d5
1e5920a6b79a93b1fa8daca32e13d1872da208ee
783cd767b496577038edbe926d008166ebe1ba8c
79e41b93b540f6747d0d2c3a22fd45ab0eac09ab
65300576ba66f199fca182c7002cb6701106f91c
d94448afd4841981b1b49ecf63db3b63cb208853
b1e0abfdaa655cf29b44d5848fab253c43d5350a
33dba9c156f6ceda40aefa059dea6ef19a767ab2
5d3160f01920a6b11e3a23baec1ed9c6d8d37a68
0830ef2fe7813ccf6821cad71a22e4384b4d02b4
JPCERT/CC
Please use the below contact form for any inquiries about the article.
Related articles
Multiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 8 of 10

Update on Attacks by Threat Group APT-C-60
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 9 of 10

Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
Source: https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
https://blogs.jpcert.or.jp/en/2024/12/APT-C-60.html
Page 10 of 10