APT-C-60, also known as zigzag_hail, is a South Korea-aligned advanced persistent threat (APT) group. The group has been observed conducting cyber espionage campaigns, notably targeting Japanese entities. In a campaign reported on November 6, 2025, APT-C-60 deployed a new malware strain called SpyGlace, which utilizes VHDX LNK files for infection or persistence and leverages GitHub-based mechanisms for tasking and command-and-control. The campaign is characterized by persistent surveillance and advanced stealth techniques. Additionally, on February 28, 2025, a VHDX file containing RadialAgent malware was attributed to APT-C-60 and uploaded to VirusTotal from Japan, further indicating their focus on Japanese targets. There are no high-confidence reports of sub-groups or additional aliases beyond APT-C-60 and zigzag_hail.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
APT-C-60 is conducting persistent espionage operations targeting Japan using the new SpyGlace malware, which leverages VHDX LNK files and GitHub-based tasking for persistence.
South Korea-aligned cyber espionage group distributing RadialAgent malware via malicious VHDX files.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.