Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
APT-C-60 Exploits Zero-Day Vulnerabilities: Inside the SpyGlace Loader, COM Hijacking, and C2 Infrastructure
Posted on: 06 Nov 2025 | Author: Foresiet
Introduction
The cyber espionage landscape continues to evolve in sophistication and stealth—and among the more notable actors is APT-C-60. In recent months, this adversary has significantly escalated its tactics by leveraging zero-day vulnerabilities and orchestrating multi-stage campaigns to deploy the SpyGlace back-door. The purpose of this blog is to provide a detailed narrative of APT-C-60’s modus operandi, dissect the technical chain behind SpyGlace, and offer code snippets suited for malware analysts to add to their toolkits. In parallel, we will touch on another prominent actor, UNC6384, to provide contrast and context in the global espionage arena.
APT-C-60: Background and Escalation
Cyber-espionage threat actor APT-C-60 whose operations have been tied to East Asian targets. Public reporting indicates the group exploited a remote code execution vulnerability in the Windows version of a productivity suite (CVE-2024-7262) to drop SpyGlace.
In one documented incident in Japan around August 2024, APT-C-60 used a job-application themed phishing email to deliver a VHDX file hosted on cloud storage. That VHDX contained a decoy document plus a shortcut “.lnk” file, which triggered a downloader/dropper payload “SecureBootUEFI.dat”. That downloader used legitimate services such as StatCounter and Bitbucket to retrieve further payloads (Service.dat → cbmp.txt / icon.txt → cn.dat / sp.dat) ultimately loading SpyGlace.
This chain showcased a number of escalation markers:
· Use of zero-day exploit in a commonly deployed productivity suite.
· Use of virtual disk file (VHD/VHDX) to bypass OS protections.
· Use of legitimate cloud services for C2 or payload staging (Bitbucket, StatCounter) to blend into normal traffic.
· Multi-stage droppers employing persistence via COM hijacking and executing sp.dat (SpyGlace) as the back-door.
Given this, it is clear APT-C-60’s threat posture is maturing: faster exploitation of new flaws, clever evasion using legitimate services, and more complex delivery chains.
Technical Analysis – SpyGlace and the Attack Chain
Here we walk through the attack chain more technically, and include a sample code snippet (in Python) that analysts can adapt to track or parse artifacts associated with the SpyGlace drop chain.
Attack Chain Overview
1. Phishing email with a link to cloud storage (Google Drive) containing a VHDX file (virtual hard disk) labeled as a “self-introduction” or job application.
2. User downloads/mounts the VHDX, sees a decoy document and a LNK shortcut (“Self-Introduction.lnk”). When clicked, the LNK triggers SecureBootUEFI.dat.
3. The downloader uses StatCounter to send a uniquely derived string (from computer name/home directory/user name) as HTTP referer to precisely identify the victim.
4. The downloader then queries Bitbucket repositories using that string, retrieves Service.dat; Service.dat loads cbmp.txt and icon.txt (which become cn.dat & sp.dat) via another Bitbucket repo access.
5. Persistence is achieved via COM hijacking of cn.dat, which then executes sp.dat—the SpyGlace back-door.
6. SpyGlace contacts a C2 server (e.g., 103.187.26[.]176) to receive commands, load additional plugins, steal files, execute commands, etc.
Code Snippet for Analysts
Below is a simplified Python snippet that you can integrate into your tooling for parsing suspicious LNK files, extracting downloader dropper names, and correlating with known indicators (e.g., “SecureBootUEFI.dat”, “Service.dat”, “sp.dat”). You can adapt or expand it for your virtual machine analysis environment.

Usage & adaptation tips:
· Mount the VHDX image in your VM sandbox (e.g., using your virtualization platform) and map it to a known path, then point mount_point accordingly.
· Extend the inspect_lnk() function to detect other known filenames like Service.dat, cn.dat, sp.dat.
· After finding the hash of a LNK, feed into your internal hash database to check for prior sightings or correlations.
· Use dynamic monitoring (procmon, etc.) to observe when SecureBootUEFI.dat executes, or if Service.dat initiates COM hijacking.
· You may write extra Python code to parse the Stat Counter HTTP requests (looking for referrer strings derived from hostname/user folder), e.g., from log traffic captures

Correlate Bitbucket repository access (e.g., via cbmp.txt, icon.txt) with your sandbox network logs—look for calls to bitbucket.org or the specific repository path naming conventions from the reporting.
Indicators of Compromise (IOCs) & Behavior Patterns
· Use of virtual disk image (VHDX) as first stage delivery.
· Files named SecureBootUEFI.dat, Service.dat, cn.dat, sp.dat.
· Infrastructure: access to Bitbucket repositories for payload staging.
· Use of StatCounter HTTP referer string to uniquely identify victims.
· COM hijacking persistence.
· Back-door behavior: file exfiltration, plugin load, command execution.
Context: UNC6384 – A Comparative Lens
To better understand the threat space, it’s beneficial to briefly contrast with another active espionage actor: UNC6384. According to recent reporting, UNC6384 executed a campaign in March 2025 that hijacked captive portal traffic in Southeast Asia, delivered a downloader dubbed STATICPLUGIN, and ultimately deployed a variant of the PlugX back‐door (also known as SOGU.SEC) in-memory, using valid code signing certificates and adversary-in-the-middle techniques.
Key learning points from UNC6384’s campaign which mirror and diverge from APT-C-60’s approach:
· Use of compromised network appliances / captive portal hijacks to redirect targets.
· Digitally signed malicious binaries, in-memory execution to avoid disk artifacts. Focused on diplomatically aligned entities rather than broad industrial or consumer targets.
In comparison, APT-C-60 is leveraging more broadly available productivity software (WPS Office) and cloud services to blend in with legitimate traffic and exploits a zero-day to gain initial access. The two examples illustrate that strategic espionage actors are both refining tool-sets (in-memory execution, living-off-the-land services) and diversifying access vectors.
Recommendations for Threat Hunters & Malware Analysts
Given the sophistication of these campaigns (both APT-C-60 and UNC6384), here are actionable recommendations based on your role (dark web monitoring, threat hunting, malware analysis):
1. Monitor for zero-day exploit disclosures — The WPS Office vulnerability (CVE-2024-7262) used by APT-C-60 underscores that such CVEs may be weaponised quickly in targeted campaigns.
2. Log and alert on unusual VHD/VHDX file deliveries — Virtual disk images as bait are less common; detecting mounts or execution from such images can yield early compromise signals.
3. Track usage of legitimate cloud services for suspicious retrievals — Bitbucket, StatCounter, Google Drive: build heuristics that monitor for uncommon usage or patterns (e.g., bitbucket downloads not common for your organization).
4. Extract and correlate LNK files and dropper names — Use scripts (like above) to parse shortcut files for embedded references to known malicious payload names.
5. Network telemetry for COM hijacking persistency indicators — Observe registry changes, DLL hijack attempts, and traces of Service.dat or cn.dat execution flows.
6. Correlate dark-web chatter/underground forums — Search for mentions of “SpyGlace”, “SecureBootUEFI.dat”, or repositories hosting “cbmp.txt”/“icon.txt” to identify leaks or shared IOCs.
7. Implement memory-analysis and sandboxing — Since in-memory execution is increasingly common, rely on memory snapshots, API calls logs, and process injection telemetry, not just file hashes.
8. Prepare attribution-aware reporting — When you observe these TTPs, make sure to note convergence (zero-day in WPS Office, use of Bitbucket/StatCounter, VHDX delivery) to link to APT-C-60 style campaigns.
File hashes & names
· SHA-1: 7509B4C506C01627C1A4C396161D07277F044AC6 (MHTML exploit document)
· SHA-1: 08906644B0EF1EE6478C45A6E0DD28533A9EFC29 (Downloader component)
· Filename: SecureBootUEFI.dat (dropper)
· Filenames: Service.dat, cn.dat, sp.dat
Infrastructure / Network IOCs
C2 server IP: 103.187.26[.]176
URLs used for staging/payload retrieval:
https[:]//c.statcounter[.]com/13139439/0/1ba1a548/1/
https[:]//raw.githubusercontent[.]com/carolab989/class2025/refs/heads/main/[VolumeSerialNumber+ComputerName].txt
https[:]//185.181.230[.]71/wkdo9/4b3ru.asp, …/t1802.asp, …/n3tb4.asp, …/2qpmk.asp
https[:]//bitbucket[.]org/clouds999/glo29839/downloads/
Vulnerability exploited
· CVE-2024-7262 (remote code execution in a popular productivity suite)
· CVE-2024-7263 (related exploit chain)
Conclusion
The escalation of APT-C-60 signals a shift: greater reliance on zero-day vulnerabilities, virtual-disk based delivery, and abuse of legitimate services for command and control. When coupled with the evolving tactics of groups like UNC6384 (in-memory execution, captive-portal hijacks, signed binaries), the threat environment for espionage actors is becoming more agile and harder to detect with legacy tooling alone.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.