The SpyGlace backdoor established a connection with a command-and-control server (103.187.26[.]176) and awaited instructions. Its capabilities included file theft, additional plugin loading, and command execution enabling the attackers to maintain long-term control over compromised systems. This multi-stage infection process highlights APT-C-60’s technical sophistication as it relied on legitimate platforms like Bitbucket for payload delivery and VHDX files to bypass operating system defenses complicating detection by security tools.

The campaign reflects ongoing trends among Asia-based threat actors like APT-C-60, who increasingly use unconventional techniques to deliver malware. Evidence from cybersecurity firms Chuangyu 404 Lab and Positive Technologies suggests that APT-C-60 and APT-Q-12, also known as Pseudo Hunter, may be sub-groups of the larger DarkHotel cluster. These groups specialize in espionage-focused attacks targeting East Asia. Notably, the use of VHD/VHDX formats demonstrates innovative methods for bypassing system protections, underscoring the evolving threat landscape and the need for robust cybersecurity defenses.

Impact

• Cyber Espionage
• Data Exfiltration
• Gain Access

Indicators of Compromise

IP

• 103.187.26.176
• 103.6.244.46

MD5

• 78b4d05a7d81b1cd96f1844ce4b201b3
• d6a2c8d7a5546de3b5eaa1c92865d001
• 6669d4a8a2c9319e1faa80123e6f0d5a

SHA-256

• 0144be044c1d297e185be91666eeb923959bce94ff07f59e81168a023ad7ff96
• af2cd31a0d4dcfde86bac7bb9212b6ce56f1cff0e4f7421b3fe6a7fa0af10474
• f64a7450251ef0def05283e58ebd8f38a28162435891db56fe85c964d52be0da

SHA1

• 33dba9c156f6ceda40aefa059dea6ef19a767ab2
• 5d3160f01920a6b11e3a23baec1ed9c6d8d37a68
• 0830ef2fe7813ccf6821cad71a22e4384b4d02b4

URL

• http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/command.asp
• http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/update.asp
• http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/result.asp
• http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/server.asp
• http://103.187.26.176/a78550e6101938c7f5e8bfb170db4db2/listen.asp
• https://c.statcounter.com/12959680/0/f1596509/1/
• https://c.statcounter.com/13025547/0/0a557459/1/

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply security updates to fix vulnerabilities.
• Use advanced email filtering to detect phishing emails, especially those with job application lures.
• Implement sandboxing to safely analyze email attachments and links before they are opened.
• Restrict the use of cloud services like Google Drive and Bitbucket for uploading and sharing files.
• Monitor for suspicious file uploads and downloads to detect malicious files or unusual activity.
• Strengthen endpoint security to block malware like SecureBootUEFI.dat and SpyGlace.
• Monitor device behaviors for unusual activity, such as unknown files running or new programs starting without user consent.
• Set up network intrusion detection systems (IDS) to monitor for unusual outbound traffic to malicious command-and-control servers.
• Check for suspicious traffic using StatCounter or other web analytics tools to detect misuse for tracking infected systems.
• Conduct training to help employees recognize phishing emails and suspicious job offers.
• Enforce multi-factor authentication (MFA) to protect user accounts from being compromised.
• Have a clear incident response plan to quickly isolate compromised systems and investigate the breach.
• Ensure logging is enabled on all systems for forensic analysis and tracking of suspicious events.
• Encrypt important data both in transit and at rest to protect it from theft if a breach occurs.
• Implement strict access controls to ensure that only authorized personnel can access sensitive information, and monitor for unusual access patterns.