The APT-C-60 threat actor has continued targeting Japanese organizations with a spear-phishing campaign that abuses Proton Drive, Windows shortcut files, trusted developer platforms, and native Windows utilities to deliver the SpyGlace malware. While the group retains several established tradecraft elements, including the abuse of legitimate services and the use of git.exe to execute malicious scripts, the latest attacks introduce Proton Drive as a file-distribution mechanism and expand the list of platforms used for payload hosting.
The initial lure arrives as a spear-phishing email containing a Proton Drive link. Victims who follow the link are prompted to download a RAR archive, which contains multiple files, including a malicious LNK shortcut.
Once executed, the LNK file initiates a multi-stage infection chain designed to blend into normal Windows activity. The shortcut first copies itself and then launches mshta.exe, a legitimate Microsoft utility capable of executing HTML Application files and JavaScript.
The LNK embeds obfuscated JavaScript code that is invoked after the victim opens the shortcut, allowing the attackers to execute malicious logic through a trusted Windows binary. This multi-layered approach ensures that the malicious behavior stays hidden beneath a veneer of typical system processes, minimizing the chance of detection by standard security tools.
Source: https://gbhackers.com/spear-phishing-uses-proton-drive/


