BreakglassIntelligence
Back to reports
criticalAPT

GoDrive.vhdx: APT-C-60 Continues SpyGlace Espionage Against Japan via VHDX Containers

PublishedMarch 12, 2026
Threat Actors:APT28Infrastructure)ProfileAssessmentTimeline
aptphishingsocial-engineeringc2spearphishing

title: "GoDrive.vhdx: APT-C-60 Continues SpyGlace Espionage Campaign Against Japan Using VHDX Containers and Legitimate Service Abuse" subtitle: "A 38MB virtual hard disk file bypasses Mark-of-the-Web, abuses Git binaries as LOLBins, beacons through StatCounter, and stages payloads on GitHub -- the latest wave from a South Korea-aligned DarkHotel cluster targeting Japanese organizations" tags: ["APT-C-60", "SpyGlace", "VHDX", "DarkHotel", "espionage", "Japan", "MOTW-bypass", "apt", "spearphishing"]

GoDrive.vhdx: APT-C-60 Continues SpyGlace Espionage Against Japan via VHDX Containers

APT-C-60 does not stop. The South Korea-aligned espionage group -- part of the DarkHotel cluster -- has been targeting Japanese organizations with weaponized VHDX files since late 2024. On March 12, 2026, a new sample surfaced on MalwareBazaar: GoDrive.vhdx, a 38MB Hyper-V Virtual Hard Disk file that delivers the SpyGlace backdoor through a kill chain that abuses Git binaries, StatCounter, GitHub, and Bitbucket as C2 infrastructure.

The filename is not subtle. "GoDrive" is a direct reference to Google Drive, the service APT-C-60 uses to deliver these containers to targets. The group impersonates job seekers, sends fabricated resumes to HR departments at Japanese companies, and the VHDX attachment bypasses Windows Mark-of-the-Web protections entirely -- files inside a mounted virtual disk do not inherit MOTW, so SmartScreen and Protected View never trigger.

Key Findings

  • Attribution: APT-C-60 (DarkHotel cluster), South Korea-aligned state espionage -- HIGH confidence
  • MOTW bypass: VHDX container strips Mark-of-the-Web from embedded files (T1553.005), allowing silent execution
  • Multi-layer legitimate service abuse: StatCounter for device fingerprinting, GitHub for payload hosting, Bitbucket for encrypted downloads, Google Drive for initial delivery
  • Kill chain: VHDX -> LNK double-click -> legitimate Git binary (gcmd.exe) as LOLBin -> malicious script (glog.txt) -> COM hijacking persistence -> SpyGlace backdoor
  • C2 infrastructure: Dedicated servers at 185[.]181[.]230[.]71 (INOVARE-AS, Moldova) and 103[.]187[.]26[.]176 (Pace Vision, Malaysia)
  • Campaign duration: Active since June 2025, SpyGlace versions 3.1.12 through 3.1.14 deployed across waves
  • 10+ confirmed compromised devices enumerated from APT-C-60's GitHub staging repositories

The Kill Chain

The attack starts with a spear-phishing email impersonating a job applicant. The VHDX file is either attached directly or hosted on Google Drive. When the victim double-clicks a file like "Resume.rtf.lnk" inside the mounted virtual disk, the chain fires:

  1. LNK executes Git binary: cd .\LICENSES.LOG\mingw64\bin && type glog.txt | gcmd.exe
  2. glog.txt drops Downloader1: Creates WebClassUser.dat in %localappdata%\Microsoft\Windows\
  3. COM hijacking persistence: Registers multiple CLSIDs including {566296fe-e0e8-475f-ba9c-a31ad31620b1}
  4. StatCounter beacon: Embeds volume serial + computer name in referer header to fingerprint victims
  5. GitHub command check: Queries raw.githubusercontent.com for device-specific command files
  6. Bitbucket payload download: XOR-decrypted with key AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE
  7. SpyGlace backdoor activation: Modified RC4 (key: 90b149c69b149c4b99c04d1dc9b940b9) + AES-128-CBC for C2

The "GOLDBAR" campaign identifier appears in the C2 beacon format, possibly indicating targeted region or campaign wave.

SpyGlace Capabilities

CommandFunction
screenupload / screenautoScreenshot capture (one-shot and loop)
download / uploadBidirectional file transfer
ddir / ddelDirectory listing and file deletion
ld / uldLoad/unload modules
procspawnSpawn processes
diskinfoDisk enumeration
attach / detachProcess attachment

Notable: prockill and proclist are present but disabled (no-op) in the latest versions -- the operators deliberately removed process visibility to reduce their detection footprint.

Infrastructure

C2 Servers:

IPProviderCountryPurpose
185[.]181[.]230[.]71INOVARE-AS (Inovare-Prim SRL)MoldovaPrimary SpyGlace C2
103[.]187[.]26[.]176Pace Vision TechnologyMalaysiaSecondary SpyGlace C2

Legitimate Service Abuse:

ServicePurpose
StatCounterDevice fingerprinting via referer headers (Project IDs: 13139439, 12959680, 13025547)
GitHubPayload hosting and victim-specific command delivery (accounts: carolab989, football2025, fenchiuwu, Ridgley22387)
BitbucketEncrypted payload hosting (clouds999/glo29839)
Google DriveInitial VHDX delivery

IOCs

Primary Sample:

  • SHA256: da29eb73c6d6e822074d7da01f0b0efc4ae9cf81e0e1ee041d5287a9a954bad7 (GoDrive.vhdx, 38MB)

C2 URLs:

hxxps://185[.]181[.]230[.]71/wkdo9/4b3ru.asp
hxxps://185[.]181[.]230[.]71/wkdo9/t1802.asp
hxxps://185[.]181[.]230[.]71/wkdo9/n3tb4.asp
hxxp://103[.]187[.]26[.]176/a78550e6101938c7f5e8bfb170db4db2/*.asp

Behavioral:

  • Mutexes: K31610KIO9834PG79A90B, K31610KIO9834PG79AD7B, K31610KIO9834PG79A44A
  • COM Hijacking: HKCU\Software\Classes\CLSID\{566296fe-e0e8-475f-ba9c-a31ad31620b1}\InProcServer32
  • File Paths: %localappdata%\Microsoft\Windows\WebClassUser.dat, %localappdata%\Microsoft\Windows\Clouds\Clouds.db

Encryption Keys:

  • XOR: AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE
  • RC4: 90b149c69b149c4b99c04d1dc9b940b9
  • AES Key: B0747C82C23359D1342B47A669796989 / IV: 21A44712685A8BA42985783B67883999

MITRE ATT&CK

TechniqueIDApplication
Spearphishing AttachmentT1566.001VHDX in job application email
Mark-of-the-Web BypassT1553.005VHDX strips MOTW from embedded files
COM Object HijackingT1547.014InProcServer32 registry persistence
Web ServiceT1102StatCounter, GitHub, Bitbucket abuse
Match Legitimate NameT1036.004Git binary (gcmd.exe) as LOLBin
Screen CaptureT1113Clouds.db screenshot module
Exfiltration Over C2 ChannelT1041Data exfiltration via SpyGlace

Conclusion

APT-C-60's operational playbook has remained consistent since late 2024: VHDX containers for MOTW bypass, job application social engineering for initial access, and a multi-layer abuse of legitimate services for C2. What makes this group dangerous is not technical sophistication -- the tradecraft is solid but not exceptional -- but rather their targeting precision and persistence. Nine months of sustained operations against Japanese HR departments, with iterating SpyGlace versions (3.1.12 to 3.1.14) and rotating GitHub staging accounts. The GOLDBAR campaign identifier in the March 2026 sample confirms the campaign continues. Block the C2 infrastructure, report the GitHub accounts, and most importantly: disable VHDX auto-mounting via Group Policy. That single configuration change breaks the entire kill chain.

Share