A South Korea-aligned cyberespionage group known as APT-C-60 has been actively exploiting a zero-day vulnerability in the Windows version of WPS Office to install the SpyGlace backdoor on systems in East Asia.

WPS Office, developed by the Chinese software firm Kingsoft, is a widely used productivity suite with over 500 million active users globally.

The vulnerability, tracked as CVE-2024-7262, has been exploited since at least February 2024. It affects WPS Office versions from 12.2.0.13110 (released in August 2023) to 12.1.0.16412 (released in March 2024). Kingsoft issued a patch for this flaw in March 2024 but did so without notifying customers.

An investigation by cybersecurity firm ESET uncovered an additional serious flaw in the software, designated CVE-2024-7263, which was patched in May 2024 with version 12.2.0.17119. A report from DBAPPSecurity independently confirmed that APT-C-60 had been using this vulnerability to deploy malware in China via specially crafted spreadsheet files.

In the campaign observed by ESET the malicious documents were disguised as MHTML exports of XLS spreadsheets, a format that allows for the automatic downloading of files as soon as the document is opened.

The document contains a hidden hyperlink designed to trigger the execution of an arbitrary library if clicked within the WPS Spreadsheet application. This, in turn, leads to the deployment of the malware onto compromised systems.

The exploitation technique involves a custom protocol handler called "ksoqing," which is registered by WPS Office during installation. This handler allows external applications to be executed whenever a user clicks on a URL starting with the "ksoqing://" URI scheme.

When the malicious link is clicked, it triggers the execution of a pre-installed application on the system, using attacker-provided commands encoded in the hyperlink.

The final payload delivered through this attack vector is a custom backdoor named SpyGlace, previously documented by cybersecurity firm ThreatBook as TaskControler.dll.

“The authors of the exploit chose to leverage a specific feature of the supported MHTML file format to have their malicious component downloaded and stored on the system in a predictable way. This particular type of file is an export format offered by Microsoft Word and Excel applications to allow users to view documents in their browser,” ESET explained. “It is a multipart archive containing HTML, CSS, and JavaScript files that facilitate the display of the document. By inserting an img tag inside one of the HTML files, it is possible to make the Spreadsheet application download a remote file when the document is being loaded.”