A sophisticated espionage campaign targeting recruitment professionals has emerged, with the APT-C-60 threat group weaponizing VHDX files to compromise organizations.
The threat actors impersonate job seekers in spear-phishing emails sent to recruitment staff, exploiting trust relationships to deliver malicious payloads.
While earlier campaigns directed victims to download VHDX files from Google Drive, recent attacks have evolved to attach the malicious VHDX file directly to emails.
Once a victim opens the weaponized VHDX file and clicks the embedded LNK file, a malicious script executes via Git, a legitimate application, initiating a multi-stage infection process that deploys sophisticated data-stealing malware.
JPCERT analysts identified this campaign targeting East Asian regions, particularly Japan, between June and August 2025.
The threat group demonstrates advanced operational security by leveraging legitimate services like GitHub and statcounter to maintain command-and-control infrastructure.
The attacks showcase technical sophistication through multi-layered obfuscation techniques, including XOR encoding with the key “sgznqhtgnghvmzxponum” for initial payloads and AES-128-CBC encryption for secondary stage downloads.
The malware identifies compromised machines using volume serial numbers and computer names, enabling precise victim tracking.
The infection chain begins when the LNK file executes gcmd.exe, a legitimate Git component, which runs the script glog.txt stored within the VHDX file.
This script displays a fabricated resume as a decoy while simultaneously creating WebClassUser.dat (Downloader1) and registering it in the system registry at HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32.
Persistence is established through COM hijacking, ensuring the malware executes automatically during system operations.
Downloader1 communicates with statcounter using specially crafted referrer headers in the format ONLINE=>[Number1],[Number2] >> [%userprofile%] / [VolumeSerialNumber + ComputerName].
The threat actors monitor these referrer values and upload corresponding files to GitHub repositories. Downloader1 retrieves files from URLs like https://raw.githubusercontent.com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber+ComputerName].txt, which contain instructions for downloading Downloader2.
Infection Mechanism and Payload Deployment
The infection mechanism employs a cascading deployment strategy with multiple encoded layers.
Downloader2 downloads and deploys SpyGlace malware, utilizing dynamic API resolution with an encoding scheme combining ADD and XOR operations.
Flow of malware infection (Source – JPCert)
The current version applies XOR 0x05 after ADD 0x04, representing an evolution from earlier variants. Files retrieved by Downloader2 are XOR-decoded using the key “AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE” before execution through COM hijacking.
SpyGlace versions 3.1.12 through 3.1.14 have been observed implementing comprehensive data exfiltration capabilities through 17 distinct commands.
The malware communicates with command-and-control servers at IP address 185.181.230.71 using modified RC4 encryption combined with BASE64 encoding.
The modified RC4 implementation increases Key Scheduling Algorithm cycles and performs additional XOR operations.
SpyGlace employs a characteristic encoding scheme combining single-byte XOR with SUB instructions for string obfuscation and API resolution.
The download command retrieves encrypted files and decrypts them using AES-128-CBC with the hardcoded key B0747C82C23359D1342B47A669796989 and IV 21A44712685A8BA42985783B67883999, creating files at %temp%\wcts66889.tmp.
The malware establishes persistence by changing its automatic execution path from %public%\AccountPictures\Default\ in version 3.1.13 to %appdata%\Microsoft\SystemCertificates\My\CPLs in version 3.1.14.
SpyGlace implements comprehensive surveillance capabilities, including remote shell access, file manipulation, process control, disk enumeration, and automated screenshot capture through the screenupload command, which calls the Clouds.db module at %LocalAppData%\Microsoft\Windows\Clouds\Clouds.db with the export function mssc1.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post APT-C-60 Attacking Job Seekers to Download Weaponized VHDX File from Google Drive to Steal Sensitive Data appeared first on Cyber Security News.
