Downloader2
Downloader2 is a second-stage downloader used in APT-C-60 campaigns observed by JPCERT/CC in Japan from June through August 2025. In the reported intrusion chain, spearphishing emails impersonating job applicants delivered a malicious VHDX to recruitment staff. Opening an embedded LNK executed a script via the legitimate Git component gcmd.exe, which dropped Downloader1. Downloader1 established persistence through COM hijacking, beaconed to StatCounter to identify victims, and retrieved a victim-specific tasking file from GitHub; based on the URL in that file, Downloader2 was downloaded and executed.
Downloader2’s documented role is to download and execute SpyGlace and its loader. It used an updated dynamic API resolution encoding scheme that applied add 0x04 followed by XOR 0x05, and it XOR-decoded retrieved content using the key string "AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE". The retrieved payloads were executed via COM hijacking. The activity is associated with the threat group APT-C-60 and reflects the actor’s continued abuse of legitimate services, including GitHub for staged payload delivery. The content does not provide standalone hashes or other Downloader2-specific IoCs beyond its decoding key, execution via COM hijacking, and its role in delivering SpyGlace.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“DownLoader1 then retrieves that file from GitHub… Based on the URL in the retrieved file, DownLoader2 is downloaded and executed… Downloader2 can download and execute SpyGlace and its loader.”
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique「求職者を装い組織の採用担当に宛てた標的型攻撃メール…今回の攻撃では悪性のVHDXファイルが直接添付ファイルとして送られていました。」
Execution
3 techniquesPersistence
2 techniquesPrivilege Escalation
1 techniqueStealth
2 techniquesDefense Impairment
1 techniqueCommand and Control
2 techniques「攻撃者はペイロードの配布にGitHubを使用…」「Downloader1はstatcounterという正規の統計サービスに対して一定間隔で通信」
「https://raw.githubusercontent.com/.../[VolumeSerialNumber + ComputerName].txt…その取得したファイルに記載されているURLを元に次のDownloader2のダウンロードおよび実行」
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Second-stage downloader that retrieves additional payloads (including SpyGlace and its loader) and executes them. Uses XOR decoding (noted keys include “sgznqhtgnghvmzxponum” and “AadDDRTaSPtyAG57er#$ad!lDKTOPLTEL78pE”) and leverages COM hijacking for execution.
第2段ダウンローダー/ローダー。SpyGlace本体とローダーをダウンロードして実行する。API名等の文字列をADD+XORでエンコードし、取得ファイルはXOR復号後にCOMハイジャッキングで実行されると記載。
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.