Table of Contents:
- Introduction:
- Key Targets:
- Infection Chain:
- Initial Findings about Campaign:
- Analysis of Decoys & Spear phishing Email:
- Technical Analysis:
- Stage1: Analysis of LNK File.
- Stage2: Analysis of VBS.
- Stage3: DLL Side Loading.
- Infrastructural Artefacts & Threat actor Attributions.
- Conclusion: Operation DRAGON WHISTLE?
- Seqrite Coverage:
- IOCs:
- MITRE ATT&CK:
Introduction:
Seqrite Labs has been actively monitoring a targeted spear-phishing campaign across the globe while doing so we have identified campaign where the Chinese educational sector targeted. Our analysis reveals that threat actors are specifically targeting students and faculty at Changzhou University (常州大学), leveraging a highly contextual lure tied to the institution’s mandatory 2026 National Student Physical Fitness and Health Standards (《国家学生体质健康标准》) testing cycle.
The phishing email delivers a ZIP attachment named:
常州大学2026年《国家学生体质健康标准》测试通知最终版.zip
(Changzhou University 2026 “National Student Physical Fitness
and Health Standards” Testing Notice — Final Version)
What makes this campaign particularly effective is the precision of its social engineering. The threat actor did not use a generic lure — they specifically identified that Changzhou University conducts mandatory annual fitness assessments where failure directly impacts graduation eligibility. This creates an environment of urgency and compliance that significantly increases the probability of victim engagement.
Key Targets:
- Education Sector — Universities and higher education institutions
- Government-Affiliated Academic Bodies — Institutions operating under national education ministry directives
- Sports & Physical Education Departments — Fitness assessment and athletic program administrators
- Student Population — Undergraduate enrolled students with mandatory compliance requirements
- Academic Administration — Faculty and departmental coordinators managing institutional testing programs
Infection Chain:
Initial Findings about Campaign:
When we investigated the Spear phishing mail, The email was crafted to impersonate official university administrative communication, carrying subject matter directly aligned with the institution’s mandatory 2026 fitness testing schedule. The body content was precise enough to compel the recipient to download and execute the attached ZIP file, leveraging the graduation-critical nature of the fitness assessment as the primary pressure mechanism.
Analysis of Decoys & Spear phishing Email:
Seqrite Labs’ investigation of the initial attack vector identified a spear-phishing email delivered from the sender “牛牛 (Cow Cat)” 18115820617@163.com, operating through NetEase’s 163.com free mail service — deliberately chosen to avoid enterprise mail security scrutiny typically applied to unknown external domains.
When we have investigated in detail, we have found the decoy to be present here,
Upon execution of the malicious ZIP, the threat actor presents the victim with a legitimate-looking decoy document — a full-fidelity replica of the official Changzhou University 2026 National Student Physical Fitness and Health Standards Testing Notice (常州大学2026年《国家学生体质健康标准》测试通知).
The inclusion of platform-specific references, QQ group coordination, and three-tier hospital documentation requirements demonstrates the threat actor’s deep familiarity with Chinese university administrative culture. This level of institutional detail goes beyond surface-level copying — it reflects either insider knowledge or extensive open-source reconnaissance of the target environment.
The addition of real staff names, direct phone numbers, an active QQ group ID, and an official institutional seal represents the highest level of social engineering fidelity observed in this campaign. A recipient cross-checking any of these details would find them verifiable through open university channels — further eliminating doubt.
Technical Analysis:
After downloading the ZIP file from the email named “常州大学2026年《国家学生体质健康标准》测试通知最终版.zip”, it contains the following files:
A double-extension LNK file masquerading as the expected PDF document. Presented at the root of the archive, this is the first and only file the victim interacts with — clicking it triggers the entire execution chain.
Four levels of nested folders mimicking macOS metadata directory naming conventions. This structure serves a singular purpose — burying the actual payload files deep enough to evade automated archive scanning and casual manual inspection.
Stage1: Analysis of LNK File:
Upon analyzing the LNK file code, it was identified that it contains a trigger point responsible for executing the next layer of the VBS file.
It Abuses the legitimate explorer.exe binary to execute the VBScript payload buried four folders deep — a living-off-the-land (LOtL) technique that avoids spawning wscript.exe or cscript.exe directly, which are commonly flagged by EDR solutions.
The LNK file serves as the starting interaction point for the victim and the trigger for the entire execution chain. Despite displaying a PDF icon and carrying a .pdf filename, its properties reveal the full deception.
Stage2: Analysis of VBS:
The VBScript file serves as the central orchestrator of the execution chain — lightweight at just 1KB, but responsible for coordinating both the deception and the malicious execution simultaneously.
After the LNK file execution, it triggered a VBS file named “chromedo.vbs”, which contains the following code:
Constructs absolute paths to both the decoy PDF and the malicious Bandizip executable dynamically at runtime — avoiding hardcoded paths that would fail on different systems or extraction locations.
Also, it Immediately opens the decoy PDF — the victim’s attention is captured by the legitimate-looking university document while the malicious track executes in parallel.
An 800ms pause between the two tracks — sufficient to ensure the PDF renders visibly before Bandizip launches, preventing any visible console flash or timing anomaly that might alert the victim.
If fso.FileExists(bandizipPath) Then
shellApp.ShellExecute bandizipPath, “”, “”, “open”, 1
End If
Silently executes Bandizip.exe with no window, no prompt, no user interaction — the “open” verb combined with window style 1 ensures the process runs in the background, invisible to the victim.
Stage3: DLL Side Loading:
After the VBScript executed the next-stage binary, the infection chain transitioned into a stealth-oriented DLL sideloading phase designed to blend malicious activity with legitimate application behaviour.
The script launched Bandizip.exe from hidden directory. Notably, the malicious components were stored within the same hidden folder structure to reduce visibility and avoid attracting user attention during execution. Within this directory, the threat actor placed a malicious DLL named ark.x64.dll alongside the legitimate executable.
Upon execution, Bandizip.exe followed the standard Windows DLL search order and loaded the attacker-controlled ark.x64.dll from its local directory before checking trusted system paths, resulting in the malicious DLL being loaded into memory under a legitimate process context.
Upon analyzing the DLL, the exported function CreateArk was observed implementing multiple anti-debugging techniques, including timing-based checks using GetTickCount to measure execution delay along with CheckRemoteDebuggerPresent, and IsDebuggerPresent, and other additional debugger and analysis evasion checks intended to hinder reverse engineering and dynamic analysis.
The CreateArk export initially resolves targeted process names at runtime using memory regions allocated via VirtualAlloc, combined with custom decryption loops. This technique prevents sensitive strings such as process names. API references, and analysis related indicators from appearing in plaintext within the binary, thereby complicating static analysis and signature-based detection. After decryption, the malware prepared a list of targeted process names associated with debugging, monitoring and network analysis tools.
To identify analysis environments, the DLL enumerates running processes using Windows APIs including CreateToolhelp32Snapshot, Process32First, and Process32Next. The malware iterates through active processes in a loop and compares each process name against its internally reconstructed blacklist. The targeted entries include tools such as wireshark.exe, procmon.exe, tcpview.exe, dumpcap.exe, fiddler.exe, charles.exe, and several additional reverse engineering and monitoring utilities.
If a matching process is detected, the malware diverts execution toward its anti-analysis routine and terminates execution to avoid running inside monitored or researcher-controlled environments. This behaviour acts as an anti-debugging and sandbox evasion mechanism, reducing the likelihood of successful dynamic analysis and behavioural observation.
SFX-Based Payload Unpacking and Beacon Execution:
After completion of environmental validation routines, the malware transitioned into its staged payload execution phase. The SFX module, co-located with the legitimate executable, was loaded into memory only after successful verification that no debugging interfaces, sandbox artifacts, or endpoint monitoring processes were active.
The DLL performs decryption of an obfuscated SFX payload at runtime.After decryption, the payload is dynamically loaded into process memory and executed directly without disk persistence. This in-memory loader stage establishes the primary execution context for the subsequent payload chain.
During execution, the unpacked SFX component employs evasion techniques by interacting with Windows security mechanisms such as AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows). By disrupting runtime scanning, logging, and telemetry generation, the malware reduces the effectiveness of antivirus and endpoint detection solutions, thereby lowering visibility during execution and memory inspection.
Following these security bypasses, the SFX payload decrypted the final-stage component entirely in memory, ultimately revealing a Cobalt Strike Beacon. This staged decryption approach ensured that the Beacon payload remained concealed during earlier execution phases and significantly reduced the likelihood of static detection or signature-based identification.
Following decryption, the Cobalt Strike Beacon was loaded directly into memory without requiring a traditional on-disk executable drop. The Beacon initialized its User-Agent configuration and attempted to establish command-and-control (C2) communication for outbound network connectivity. By executing the payload entirely in memory, the malware minimized on-disk artifacts and reduced forensic visibility during execution.
Infrastructural Artefacts & Threat actor Attributions.:
In this section, we will discuss how we uncovered additional campaigns by leveraging a simple artifact: here threat actor has used Bandizip is a legitimate, widely used South Korean archive management application developed by Bandisoft. In isolation, it is a trusted, clean utility — however in this campaign, the threat actor has deliberately weaponized it as a LOtL (Living off the Land) tool. Based on that we have found 20 files like that.
Another artefact, we used while hunting this threat actor was machine IDs present in multiple LNKs, which were common across campaigns targeting. Based on that we have identified below files which are having the similarities.
Based on the beacons of all these similar implants, we found that this samples connect to the similar Command & Control server with AS 37963 registered with Hangzhou Alibaba Advertising as shown below:
Seqrite Labs attributes Operation Dragon Whistle to threat actor UNG002 with Medium-High confidence, based on strong TTP overlap with our previously documented Operation Cobalt Whisper campaign.
In Operation Cobalt Whisper, Seqrite Labs uncovered a campaign heavily leveraging malicious LNK files and obfuscated VBScript as the primary delivery mechanism — the same foundational TTPs observed in the current campaign. The structural consistency across both operations forms the backbone of this attribution.
While having furthermore pivot on C2: 60[.]205[.]186[.]162 we have observed below domain which this IP has been resolving.
This confirms what was anticipated — the threat actor is hosting C2 infrastructure on Alibaba Cloud, China’s dominant cloud provider, consistent with UNG002’s previously documented preference for Chinese cloud infrastructure. In Operation Cobalt Whisper, the actor leveraged Tencent Cloud (AS45090); here they have shifted to Alibaba Cloud (AS37963) — a deliberate infrastructure rotation to evade ASN-based blocking.
The C2 infrastructure resolving to lysander[.]asia at 60[.]205[.]186[.]162 (AS37963 — Alibaba Cloud) has been active since 2026-04-06 and remains live and operational as of the date of this report (2026-05-19).
The presence of Feishu (飞书) MX records is a significant attribution signal. Feishu is ByteDance’s enterprise platform used predominantly within China — rarely seen in infrastructure operated by non-Chinese actors.
Both nameservers belong to HiChina (万网) — a subsidiary of Alibaba Cloud specifically serving the Chinese domestic market. Domain registration and DNS management through HiChina requires Chinese identity verification in most cases — further anchoring the actor’s operational base within China.
The timeline confirms this was not opportunistic infrastructure — it was methodically built, verified, and maintained in direct alignment with the campaign’s operational window.
Conclusion: Operation DRAGON WHISTLE?
Operation Dragon Whistle exposes a deliberate expansion of threat actor UNG002’s targeting footprint — moving beyond its previously documented victims into Mainland China’s university population, exploiting a nationally mandated fitness assessment as a high-compliance lure to drive victim execution.
The name reflects the campaign’s two defining traits. Dragon represents the precise geographic and cultural targeting — a Mainland China academic institution, a Chinese national education mandate, a Chinese-speaking victim population. Whistle reflects the campaign’s silent operational nature — a lure that commands attention like a referee’s whistle, while the malware executes, persists, and beacons back to its operator without a sound.
A campaign that speaks with institutional authority. A payload that never makes a noise.
Seqrite Coverage:
- Trojan.LoaderCiR
- Trojan.CobaltStrikeCiR
- Lnk.Trojan.50718
- Script.Trojan.50719
IOCs:
| File Name | SHA256 |
| 常州大学2026年《国家学生体质健康标准》测试通知最终版.zip | e7aff6a55a7866776272d9913dfbf9d7db33fc9de6aced22f2a195feebb0e85f |
| 常州大学2026年《国家学生体质健康标准》测试通知.pdf | fe11b199ada23d5ac25efc4215e67f4ff617ccb4d429eb64412072687367ca1c |
| 常州大学2026年《国家学生体质健康标准》测试通知.pdf.lnk | cd99e83d241cfbb41bfcd0bc622a87d16268e710ca7d736d0c5f44774e0056e2 |
| eb14d9e35a3bf0a933297f861bee0be9e6b9061fe4573a81ac92b71d55b6474f | |
| Bandizip.exe | c937eca7c4c9b98df9257d986e666d25411aac5fa39d21f7018dd2e1663f0c76 |
| ark.x64.dll | 35a478f53f64bd412f374c65360fdba0518749537193669a8fe08d14bed65a2a |
| Cobalt Strike Beacon | ed7087e3afba4b320bdf04f32d3a6c567effd3d18a97682968e567000e70b335 |
C2:
60[.]205[.]186[.]162
MITRE ATT&CK:
| Tactic | Technique Name | Technique ID |
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | User Execution: Malicious File | T1204.002 |
| Command and Scripting Interpreter: Visual Basic | T1059.005 | |
| Shared Modules | T1129 | |
| Defense Evasion | Masquerading | T1036 |
| Hidden Files and Directories | T1564.001 | |
| DLL Side-Loading | T1574.002 | |
| Obfuscated Files or Information | T1027 | |
| Debugger Evasion | T1622 | |
| Virtualization/Sandbox Evasion | T1497 | |
| Reflective Code Loading | T1620 | |
| Living off the Land | T1218 | |
| Native API | T1106 | |
| Discovery | Process Discovery | T1057 |
| System Checks | T1497.001 | |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Ingress Tool Transfer | T1105 | |
| Defense Evasion | Signed Binary Proxy Execution | T1218 |
| Native API | T1106 | |
| Collection | Data from Local System | T1005 |
Authors:
- Dixit Panchal
- Kartik Jivani
- Vaibhav Krushna Billade
