APT-C-60 Attack Update for 2026
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The threat group APT-C-60 is carrying out targeted operations against organizations in Japan using revised initial access tactics and updated infrastructure. The intrusion chain begins with spearphishing emails that contain Proton Drive links or weaponized RAR archives leading to execution of an LNK file. That shortcut abuses mshta.exe to launch embedded JavaScript, which eventually retrieves and runs the SpyGlace malware through a range of legitimate developer services.
Investigation
JPCERT/CC observed notable changes in APT-C-60’s initial access methods and infrastructure compared with earlier campaigns. The investigation revealed use of Proton Drive for payload distribution and abuse of trusted services such as GitLab, jsDelivr, Codeberg, and GitHub to host malicious components. Analysts reconstructed the infection chain from an LNK file invoking JavaScript through mshta.exe to a follow-on script that used git.exe to retrieve additional downloader content.
Mitigation
Users should avoid opening suspicious cloud-storage links or LNK files delivered inside compressed archives such as RAR files. Organizations should monitor misuse of legitimate developer tools and platforms, including git.exe and public code-hosting services, for unusual outbound activity. Enforcing tighter controls on mshta.exe and monitoring suspicious JavaScript execution can also help reduce exposure.
Response
If this activity is detected, responders should isolate affected hosts and perform memory forensics to identify active SpyGlace variants and command-and-control sessions. Network logs should be reviewed for communication with the identified C2 IP addresses and the legitimate services abused for payload delivery. Investigators should also trace the initial entry point, focusing on spearphishing emails and follow-on downloads from cloud storage services.
Attack Flow
Detections
Suspicious InprocServer32 Key Operations via REG.EXE Utility (via process_creation)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Detection of APT-C-60 LNK File Activities in 2026 [Windows Sysmon]
View
APT-C-60 LNK File Activity Utilizing mshta.exe and git.exe [Windows Process Creation]
View
APT-C-60 Spear-Phishing with Proton Drive and LNK Execution [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary aims to deploy a second-stage payload using a combination of LOLBins to evade traditional signature-based detection. The attacker uses an LNK file to trigger
mshta.exe, which executes a obfuscated JavaScript routine. To blend into a developer environment and potentially hide data exfiltration or tool retrieval, the attacker invokesgit.exewhile passing a command line that includes the keyword ‘downloader’. To satisfy the specific (and brittle) logic of this rule, the simulation will execute a single command line that incorporates all three elements. -
Regression Test Script:
# Simulation script to trigger the APT-C-60 detection rule. # This script executes mshta with JavaScript and git.exe in a way that # attempts to satisfy the rule's AND condition requirements. $cmd = "mshta.exe javascript:alert('triggering_rule'); git.exe --help downloader" # Note: In a real Sigma/SIEM environment, the 'and' condition # often expects these to be within the same event or # very closely correlated. We will launch a process that # mimics this complex command line. Start-Process "mshta.exe" -ArgumentList "javascript:alert('test'); git.exe downloader" -
Cleanup Commands:
# No persistent artifacts are created by the simulation script. # Simply ensure no stray mshta processes remain. Stop-Process -Name "mshta" -ErrorAction SilentlyContinue