New Malware Evades Detection With Obfuscation and Staged Delivery
Key Takeaways A new, sophisticated malware campaign is targeting Pakistani government employees, specifically staff at the Punjab Safe Cities Authority (PSCA) and PPIC3. The attack leverages...
Key Takeaways
- A new, sophisticated malware campaign is targeting Pakistani government employees, specifically staff at the Punjab Safe Cities Authority (PSCA) and PPIC3.
- The attack leverages spear-phishing emails containing malicious Word and PDF attachments that employ obfuscation techniques like VBA stomping and staged payload delivery.
- The malware establishes persistent remote access, utilizing Microsoft’s legitimate VS Code tunnel service for command-and-control and Discord webhooks for compromise notifications, making detection challenging.
- The custom-built toolset achieved a perfect malicious score in sandbox tests, with no match to known malware families.
- Defenders should prioritize blocking unapproved CDN domains, monitoring VS Code tunnel activity, and flagging unusual Discord webhook connections.
Sophisticated Malware Campaign Targets Pakistani Government Entities with Advanced Evasion Tactics
A recently identified malware campaign is actively compromising government personnel in Pakistan. Threat actors are deploying highly targeted spear-phishing emails that combine advanced obfuscation methods with staged payload delivery, specifically designed to bypass conventional security defenses.
Table Of Content
- Key Takeaways
- Sophisticated Malware Campaign Targets Pakistani Government Entities with Advanced Evasion Tactics
- Targeted Impersonation and Dual-Attachment Delivery
- Deep Analysis Confirms Malicious Intent and Persistence
- Covert Command and Control via Legitimate Services
- Multi-Stage Delivery and VBA Stomping Techniques
- What You Should Do
Targeted Impersonation and Dual-Attachment Delivery
The campaign specifically targeted employees of the Punjab Safe Cities Authority (PSCA) and PPIC3. Attackers impersonated an internal consultant and referenced a seemingly legitimate “Safe Jail Project” to establish credibility. This tactic highlights a growing trend where cybercriminals leverage trusted institutional names to enhance the perceived legitimacy of their attacks.
Each spear-phishing email delivered two distinct malicious attachments: a Microsoft Word document named “CAD Reprot.doc” and a PDF file titled “ANPR Reprot.pdf.” The deliberate misspelling in “CAD Reprot.doc” is a common characteristic of files crafted by threat actors. The “ANPR Reprot.pdf” displayed a simulated Adobe Reader error, prompting users to download a harmful file. Both attachments retrieved their malicious payloads from the same infrastructure hosted on BunnyCDN, a legitimate content delivery network, making the associated network traffic more difficult for security tools to flag as suspicious.
Deep Analysis Confirms Malicious Intent and Persistence
JoeReverser analysts conducted a comprehensive sandbox analysis, assigning the Word document a perfect malicious score of 100 out of 100. Operating at a 95% confidence level, the analysis confirmed the campaign’s primary objective: establishing persistent remote access on compromised systems. Detection signals from various security tools, including Suricata, Sigma, YARA, ReversingLabs (52%), and VirusTotal (56%), corroborated these findings, leaving no doubt regarding the attack’s malicious intent.
Covert Command and Control via Legitimate Services
A particularly concerning aspect of this campaign is its innovative use of Microsoft’s legitimate VS Code tunnel service as a covert command-and-control (C2) channel. After the “code.exe” payload is dropped into a victim’s temporary folder and executed, it routes traffic through Microsoft’s infrastructure, making the malicious communication appear as routine developer activity. Furthermore, the threat actors employed Discord webhooks to receive real-time notifications upon successful system compromise, a low-profile method that effectively bypasses most network-level monitoring tools.
The attack achieved a perfect malicious rating across all sandbox tests, and no match to known malware families was found in Malpedia. This confirms that the threat actors are utilizing a custom-built toolset specifically tailored for this targeted campaign. Joe Sandbox confirmed the entire attack chain through Web IDs 1903908, 1903907, and 1903906, which collectively covered the progression from the initial email to the final PDF payload.
Multi-Stage Delivery and VBA Stomping Techniques
The technical sophistication of this campaign lies in the attacker’s engineering of each delivery stage to evade detection. The Word document leverages a technique known as VBA stomping, where the visible macro source code is completely removed, leaving only the compiled p-code. This allows the hidden malicious logic to execute without triggering alerts from many antivirus solutions that primarily scan the readable macro content.
Upon a victim enabling content on the blurred document, the embedded macro’s DownloadAndExfil function silently activates. It utilizes a COM-based HTTP object to retrieve “code.exe” from the domain adobe-pdfreader.b-cdn.net and writes it to the system’s temporary folder via ADODB.Stream. Concurrently, the PDF attachment initiates a parallel infection path: clicking the fake “Update PDF Reader” button triggers an automatic download of an unsigned .NET ClickOnce manifest that mimics legitimate Adobe software. Both infection vectors source their payloads from the same infrastructure, providing the attacker with dual independent opportunities for compromise.
What You Should Do
- Educate employees to treat any document requesting macro enablement or software updates with extreme caution, especially from unfamiliar or suspicious senders.
- Implement strict outbound filtering to block connections to CDN domains not explicitly approved for organizational use.
- Monitor enterprise endpoints for unusual or unauthorized activity related to VS Code tunnel services.
- Configure network monitoring to flag and block Discord webhook connections originating from non-browser applications.
- Regularly update and patch all software, operating systems, and security solutions to protect against known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.