APT-C-60 is a sophisticated threat actor that continues to conduct targeted spear-phishing attacks primarily against Japan and East Asia by impersonating job seekers to lure victims. The attack vector has evolved to include direct attachment of malicious VHDX (Virtual Hard Disk) files in emails, which is a novel delivery method that can bypass some traditional email security filters. The malware suite used by APT-C-60 includes Downloader1, Downloader2, and SpyGlace, with SpyGlace observed in versions 3.1.12, 3.1.13, and 3.1.14. These versions show modifications in Mutex values and execution paths, indicating ongoing development and evasion efforts. The attackers utilize GitHub as a legitimate platform to host and distribute payloads, complicating detection and takedown efforts. The malware employs advanced encoding and encryption methods, including RC4, to protect communications and payloads. The campaign abuses legitimate Windows features such as COM hijacking (T1553.005), execution through trusted binaries (T1218.011), and persistence mechanisms (T1547.001). The spear-phishing emails exploit social engineering by impersonating job seekers, increasing the likelihood of user interaction. Despite infrastructure changes, the attackers maintain consistent behavioral patterns, indicating a mature and persistent operation. No known exploits in the wild have been reported, but the threat remains active and evolving. The medium severity rating reflects the targeted nature, complexity, and potential impact of the malware if successfully deployed.

For European organizations, the primary impact of this threat lies in potential espionage, data exfiltration, and network compromise, especially for entities with business or strategic interests in East Asia or Japan. The use of spear-phishing with convincing social engineering tactics increases the risk of initial compromise. The malware's ability to maintain persistence and evade detection through legitimate service abuse and encryption techniques could lead to prolonged undetected access. Organizations involved in recruitment, international trade, or technology sectors may be particularly targeted or indirectly affected. The use of VHDX attachments could bypass some traditional email defenses, increasing the risk of infection. While no widespread exploitation in Europe has been reported, the global nature of GitHub-hosted payloads and the use of common Windows features mean that European networks are potentially vulnerable if targeted. The compromise of confidentiality, integrity, and availability of systems could result in intellectual property theft, disruption of operations, and reputational damage.

European organizations should implement advanced email filtering solutions capable of detecting and blocking malicious VHDX attachments and spear-phishing attempts impersonating job seekers. Deploy sandboxing technologies to analyze suspicious attachments in a controlled environment before delivery. Monitor network traffic for unusual communications, especially encrypted or encoded data flows consistent with SpyGlace and downloader malware behavior. Employ endpoint detection and response (EDR) tools to identify persistence mechanisms such as COM hijacking and execution via trusted binaries. Regularly update and patch systems to reduce the attack surface, even though no specific patches are linked to this threat. Conduct targeted user awareness training focusing on spear-phishing risks related to recruitment and job-seeking themes. Restrict or monitor the use of legitimate services like GitHub for payload hosting by implementing allowlists or anomaly detection. Implement strict application control policies to prevent execution of unauthorized VHDX files and related payloads. Finally, establish incident response plans that include procedures for detecting and mitigating advanced persistent threats with similar tactics.