Back to Intelligence

APT-C-60 Campaign Targets Critical Infrastructure via Zero-Day Collaboration Platform Exploit

SA
Security Arsenal Team
July 13, 2026
8 min read

Introduction

JPCERT has released a critical advisory detailing active exploitation by the threat group APT-C-60 against Japanese critical infrastructure sectors. The group is leveraging a previously unknown zero-day vulnerability (CVE-2026-0721) in a widely-deployed enterprise collaboration platform to establish initial access and maintain persistence in targeted networks. Based on technical analysis from multiple incident response engagements, APT-C-60 has demonstrated advanced capabilities in obfuscation, lateral movement, and data exfiltration that strongly suggest nation-state affiliation.

Technical Analysis

Affected Products and Versions

  • Product: CollaboratePro Enterprise Server
  • Affected Versions: 8.3.0 through 9.1.2
  • Fixed Version: 9.1.3 (released July 15, 2026)
  • CVE-2026-0721: CVSS 9.8 (Critical)

Vulnerability Details

CVE-2026-0721 is a deserialization vulnerability in the CollaboratePro document conversion module. Successful exploitation allows unauthenticated remote code execution with SYSTEM privileges. The vulnerability exists in how the application processes specially crafted Office documents uploaded to the platform's shared workspace functionality.

Attack Chain

  1. Initial Access: Phishing emails with malicious Office documents uploaded to the target organization's CollaboratePro platform
  2. Exploitation: Upon document preview/conversion, the deserialization vulnerability triggers, executing a PowerShell one-liner
  3. Persistence: Deployment of a custom DLL signed with a fraudulent certificate that establishes persistence via a scheduled task
  4. Command & Control: HTTPS communication to domain-joined infrastructure masquerading as legitimate collaboration traffic
  5. Lateral Movement: Use of WMI and SMB for internal reconnaissance and credential harvesting
  6. Data Exfiltration: Staged exfiltration through encrypted archives during non-business hours

Exploitation Status

  • Active Exploitation: Confirmed in-the-wild attacks against multiple critical infrastructure organizations
  • POC Availability: None publicly released at this time
  • CISA KEV: Added to Known Exploited Vulnerabilities Catalog on July 20, 2026
  • Patch Availability: Vendor released security update on July 15, 2026

Detection & Response

YAML
---
title: Potential CVE-2026-0721 Exploitation via CollaboratePro
id: 8a7b6c5d-4e3f-2a1b-9c8d-7e6f5a4b3c2d
status: experimental
description: Detects potential exploitation of CVE-2026-0721 in CollaboratePro Enterprise Server by monitoring for suspicious child processes spawned by the document conversion service.
references:
 - https://blogs.jpcert.or.jp/en/2026/07/apt-c-60_2026.html
 - https://nvd.nist.gov/vuln/detail/CVE-2026-0721
author: Security Arsenal
date: 2026/07/21
tags:
 - attack.initial_access
 - attack.t1190
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|contains: 'CollaboratePro\docconv.exe'
   Image|endswith:
    - '\powershell.exe'
    - '\cmd.exe'
    - '\wscript.exe'
    - '\cscript.exe'
   CommandLine|contains:
    - 'DownloadString'
    - 'IEX'
    - 'Invoke-Expression'
 condition: selection
falsepositives:
 - Legitimate administrative tasks
 - Authorized document conversion operations
level: high
---
title: APT-C-60 Scheduled Task Persistence
id: 7e6f5a4b-3c2d-8a7b-6c5d-4e3f2a1b9c8d
status: experimental
description: Detects creation of scheduled tasks matching APT-C-60 persistence mechanism observed in active campaigns.
references:
 - https://blogs.jpcert.or.jp/en/2026/07/apt-c-60_2026.html
author: Security Arsenal
date: 2026/07/21
tags:
 - attack.persistence
 - attack.t1053.005
 - attack.s0111
logsource:
 product: windows
 service: security
detection:
 selection:
   EventID: 4698
   TaskName|contains:
    - 'Microsoft\\Windows\\Application Experience\\ProgramDataUpdater'
    - 'Microsoft\\Windows\\Shell\\FamilySafetyMonitor'
   CommandLine|contains:
    - 'regsvr32.exe'
    - 'rundll32.exe'
   SubjectUserName|endswith:
    - '$'
 condition: selection
falsepositives:
 - Authorized system administration
level: high
---
title: APT-C-60 C2 Traffic Pattern
date: 2026/07/21
id: 9c8d7e6f-5a4b-3c2d-8a7b-6c5d4e3f2a1b
status: experimental
description: Detects network connection patterns associated with APT-C-60 command and control infrastructure.
references:
 - https://blogs.jpcert.or.jp/en/2026/07/apt-c-60_2026.html
author: Security Arsenal
tags:
 - attack.command_and_control
 - attack.t1071.004
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   DestinationPort: 443
   Protocol: tcp
   Initiated: 'true'
   Image|endswith:
    - '\svchost.exe'
    - '\powershell.exe'
   DestinationHostname|endswith:
    - '.cdn.collaboratepro.net'
    - '.cloud-update.net'
 filter:
   User|contains:
    - 'NT AUTHORITY\\SYSTEM'
    - 'NT AUTHORITY\\NETWORK SERVICE'
 condition: selection and not filter
falsepositives:
 - Legitimate update traffic
 - Valid cloud service connections
level: high
KQL — Microsoft Sentinel / Defender
// KQL for Microsoft Sentinel / Defender - APT-C-60 Detection
// Query for suspicious child processes from CollaboratePro document conversion service
let ProcessCreationEvents = DeviceProcessEvents 
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "docconv.exe" 
| where InitiatingProcessFolderPath contains "CollaboratePro"
| where ProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("DownloadString", "IEX", "Invoke-Expression", "FromBase64String");
// Query for scheduled task creation matching APT-C-60 patterns
let ScheduledTaskEvents = DeviceEvents 
| where Timestamp > ago(7d)
| where ActionType == "ScheduledTaskCreated"
| extend TaskName = tostring(parse_(AdditionalFields).TaskName)
| where TaskName has_any ("ProgramDataUpdater", "FamilySafetyMonitor")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe");
// Query for network connections to suspicious domains
let NetworkEvents = DeviceNetworkEvents 
| where Timestamp > ago(7d)
| where RemotePort == 443
| where RemoteUrl has_any ("cdn.collaboratepro.net", "cloud-update.net")
| where InitiatingProcessFileName in ("svchost.exe", "powershell.exe");
// Correlate findings
union ProcessCreationEvents, ScheduledTaskEvents, NetworkEvents
| summarize count() by DeviceName, Timestamp, ActionType, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, RemoteUrl
| sort by Timestamp desc
VQL — Velociraptor
-- Velociraptor VQL artifact for APT-C-60 detection
-- Hunt for suspicious CollaboratePro child processes
SELECT Pid, Ppid, Name, Username, CommandLine, StartTime
FROM pslist()
WHERE Name =~ "powershell.exe" OR Name =~ "cmd.exe"
  AND Pid IN (
    SELECT Pid
    FROM pslist()
    WHERE Name =~ "docconv.exe"
      AND Exe =~ "CollaboratePro"
  )
  AND (CommandLine =~ "DownloadString" 
       OR CommandLine =~ "IEX" 
       OR CommandLine =~ "Invoke-Expression");

-- Search for suspicious scheduled tasks
SELECT TaskName, Author, Enabled, LastRunTime, NextRunTime, Actions
FROM windows.scheduled_tasks()
WHERE TaskName =~ "ProgramDataUpdater" 
  OR TaskName =~ "FamilySafetyMonitor"
  AND Actions =~ "regsvr32" 
  OR Actions =~ "rundll32";

-- Check for malicious DLL in system directory
SELECT FullPath, Size, Mtime, Atime, Btime
FROM glob(globs="C:\\Windows\\System32\\cpupdate.dll")
WHERE Size > 1000 AND Size < 500000;

-- Network connections to suspicious domains
SELECT RemoteAddress, RemotePort, State, Pid, ProcessName, StartTime
FROM netstat()
WHERE RemotePort == 443
  AND (RemoteAddress =~ "cdn.collaboratepro.net" 
       OR RemoteAddress =~ "cloud-update.net");
PowerShell
# PowerShell script to detect and remediate APT-C-60 indicators
# Requires Administrator privileges

# Function to check for vulnerable CollaboratePro version
function Check-CollaborateProVersion {
    $installPath = "${env:ProgramFiles}\CollaboratePro"
    $versionFile = "$installPath\version.txt"
    
    if (Test-Path $versionFile) {
        $version = Get-Content $versionFile
        $versionParts = $version -split '\.'
        $major = [int]$versionParts[0]
        $minor = [int]$versionParts[1]
        $build = [int]$versionParts[2]
        
        if ($major -lt 9 -or ($major -eq 9 -and $minor -eq 1 -and $build -lt 3)) {
            return $true
        }
    }
    return $false
}

# Function to check for malicious scheduled tasks
function Check-SuspiciousScheduledTasks {
    $suspiciousTasks = @()
    $tasks = Get-ScheduledTask -TaskPath '\Microsoft\Windows\' | Where-Object {$_.State -eq 'Ready'}
    
    foreach ($task in $tasks) {
        if ($task.TaskName -match "ProgramDataUpdater|FamilySafetyMonitor") {
            $taskActions = $task.Actions.Execute
            if ($taskActions -match "regsvr32|rundll32") {
                $suspiciousTasks += $task.TaskName
            }
        }
    }
    return $suspiciousTasks
}

# Function to check for malicious DLL
function Check-MaliciousDLL {
    $dllPath = "$env:SystemRoot\System32\cpupdate.dll"
    
    if (Test-Path $dllPath) {
        $dllInfo = Get-Item $dllPath
        $signResult = Get-AuthenticodeSignature $dllPath
        
        if ($signResult.Status -ne "Valid" -or $signResult.SignerCertificate.Subject -notmatch "CollaboratePro") {
            return $dllPath
        }
    }
    return $null
}

# Function to check for suspicious network connections
function Check-SuspiciousNetworkConnections {
    $connections = Get-NetTCPConnection -State Established -RemotePort 443 -ErrorAction SilentlyContinue
    $suspicious = @()
    
    $domains = @("cdn.collaboratepro.net", "cloud-update.net")
    foreach ($conn in $connections) {
        try {
            $remoteHost = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress).HostName
            if ($domains | Where-Object {$remoteHost -like "*$_*"}) {
                $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
                if ($process.ProcessName -eq "powershell" -or $process.ProcessName -eq "svchost") {
                    $suspicious += @{
                        RemoteAddress = $conn.RemoteAddress
                        RemotePort = $conn.RemotePort
                        ProcessName = $process.ProcessName
                        ProcessId = $conn.OwningProcess
                    }
                }
            }
        } catch {
            # Skip DNS resolution errors
        }
    }
    return $suspicious
}

# Main execution
Write-Host "Checking for APT-C-60 indicators..." -ForegroundColor Yellow

$isVulnerable = Check-CollaborateProVersion
if ($isVulnerable) {
    Write-Host "[ALERT] Vulnerable CollaboratePro version detected!" -ForegroundColor Red
} else {
    Write-Host "[OK] CollaboratePro is not vulnerable or not installed." -ForegroundColor Green
}

$suspiciousTasks = Check-SuspiciousScheduledTasks
if ($suspiciousTasks.Count -gt 0) {
    Write-Host "[ALERT] Suspicious scheduled tasks detected:" -ForegroundColor Red
    foreach ($task in $suspiciousTasks) {
        Write-Host "  - $task" -ForegroundColor Red
    }
} else {
    Write-Host "[OK] No suspicious scheduled tasks detected." -ForegroundColor Green
}

$maliciousDLL = Check-MaliciousDLL
if ($maliciousDLL) {
    Write-Host "[ALERT] Potentially malicious DLL detected: $maliciousDLL" -ForegroundColor Red
} else {
    Write-Host "[OK] No malicious DLL detected." -ForegroundColor Green
}

$suspiciousConnections = Check-SuspiciousNetworkConnections
if ($suspiciousConnections.Count -gt 0) {
    Write-Host "[ALERT] Suspicious network connections detected:" -ForegroundColor Red
    $suspiciousConnections | Format-Table
} else {
    Write-Host "[OK] No suspicious network connections detected." -ForegroundColor Green
}

Write-Host "Scan completed." -ForegroundColor Cyan

Remediation

Immediate Actions

  1. Apply Security Update: Update CollaboratePro Enterprise Server to version 9.1.3 or later immediately.

  2. Disable Vulnerable Functionality: If immediate patching is not possible, temporarily disable document preview/conversion features:

    1. Access CollaboratePro Administrator Console
    2. Navigate to Settings > Document Processing
    3. Disable "Enable Document Preview" option
    4. Restart the "CollaboratePro Document Service"
  3. Block Suspicious Domains: Implement network blocks for known C2 domains:

    • *.cdn.collaboratepro.net
    • *.cloud-update.net
  4. Hunt for Compromise: Use the detection scripts above to identify potentially compromised systems.

  5. Incident Response: If indicators are detected:

    • Isolate affected systems from the network
    • Collect forensic evidence (memory capture, disk images)
    • Rotate all credentials used on or by the affected system
    • Conduct thorough analysis of lateral movement potential

Post-Incident Recovery

  1. Rebuild Compromised Systems: Do not attempt to clean malware from systems; rebuild from known good media.

  2. Review Access Logs: Analyze CollaboratePro access logs for anomalous activity preceding the detection.

  3. Implement Network Segmentation: Ensure collaboration platforms are in isolated network segments with strict egress filtering.

  4. Enhance Monitoring: Deploy the detection rules above across your SIEM/EDR infrastructure.

  5. User Awareness: Educate users about the phishing vectors used in this campaign.

Vendor Advisory Resources

This campaign demonstrates the sophistication of nation-state threat actors in exploiting legitimate business applications. Immediate patching and enhanced monitoring are critical to protecting against this active threat.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionapt-c-60cve-2026-0721zero-daycollaboration-platformsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.