Hackers Evade Scanners with Malware in Nested macOS Fold

New research reveals hackers are concealing Windows malware within deeply nested folders that imitate macOS system paths. This allows malicious payloads to evade security scanners and appear as harmless archives. This sophisticated tactic, detailed in a recent report, presents a fresh challenge for detection systems.

By burying their tools several layers deep, they aim to slip past automated scanning and casual inspection during routine email use. The result is a stealthy infection chain that starts with a simple zip file and ends with full malware control in memory.

In a recent campaign, attackers targeted students and staff at Changzhou University in China using carefully crafted spear phishing emails that mimicked official notices about mandatory fitness assessments.

The messages carried a zip attachment with a convincing Chinese filename that referred to national student physical fitness and health standards, raising the perceived urgency and legitimacy for recipients.

Once opened, the archive presented a fake document that closely matched real university paperwork while quietly setting the stage for malware execution behind the scenes.

Security analysts from Seqrite documented how this operation layered its deception, from the zip attachment to the final payload, in a detailed technical report.

Seqrite Labs has been closely monitoring targeted spear phishing campaigns worldwide and identified this one as part of a broader pattern focused on educational institutions and academic bodies.

In their assessment, the campaign shows a clear understanding of university culture and administrative pressure points, particularly around compulsory testing and graduation requirements.

According to the report, the attackers impersonated university administrators with precise subject lines and email content that aligned with real fitness testing schedules.

Students were urged to download and open the attached zip, believing it contained a final version of the official testing notice. The combination of institutional branding, detailed references to procedures, and urgency around graduation created a strong social engineering lure that many would find hard to ignore.

Seqrite said in a report shared with Cyber Security News (CSN) that this operation, which they refer to as “Operation Dragon Whistle,” represents a deliberate expansion of a known threat actor’s focus into mainland China’s university population.

Researchers linked the activity to a group they track as UNG0002, based on overlaps with an earlier campaign called Operation Cobalt Whisper that also relied on malicious LNK files and obfuscated VBScript.

The name Dragon Whistle reflects both the cultural and geographic targeting and the quiet but persistent nature of the malware’s behavior once deployed.

Nested macOS-like folders hide payloads

At the heart of the campaign is a clever trick inside the malicious zip file: four levels of nested folders that imitate macOS metadata directories.

This structure is designed to bury the actual payload files deep enough that many antivirus engines and archive viewers will not inspect them closely, while also discouraging users from digging into the folder tree.

The infection chain shows this nested layout, where the visible contents seem minimal but the real danger lies several directories down.

The outer layer presents a double-extension LNK file that poses as a PDF document, complete with a PDF icon and filename that suggests it is the official fitness testing notice.

When the user clicks this file, it abuses the legitimate Windows Explorer process to execute a VBScript payload that has been hidden within the nested folders, rather than launching an obvious script interpreter that security tools might flag.

This living off the land approach allows the malware to blend into normal system activity while it prepares the next stages of the attack. The VBScript file, named “chromedo.vbs,” coordinates both user deception and malware execution.

It constructs paths to a decoy PDF and to a separate executable called “Bandizip.exe,” then opens the real-looking document so the victim remains focused on the content while the executable runs silently in the background.

By adding a brief delay between these actions, the script ensures the decoy appears smoothly without visible glitches that might arouse suspicion.

Once Bandizip.exe launches, the infection chain shifts into a DLL side loading phase. The attackers place a malicious DLL named “ark_x86.dll” in the same hidden directory as the legitimate executable, relying on Windows’ normal DLL search order to load the attacker-controlled library instead of a trusted system copy.

Inside this DLL, the exported function “CreateArk” deploys multiple anti-debugging checks and decryption routines that eventually unpack and run an in-memory Cobalt Strike beacon without leaving a conventional executable on disk.

Wider campaign, infrastructure and defenses

Seqrite’s investigation found that this was not an isolated incident but part of a wider set of operations using similar LNK files, nested folder structures, and Bandizip side loading to deliver Cobalt Strike-based payloads.

By pivoting on machine identifiers present in multiple LNK files and examining beacon traffic, the researchers identified overlapping infrastructure and staging patterns that tie several campaigns together.

They also noted that the attackers appear to refine their social engineering and technical methods over time as they move from one target set to another.

The final beacon stages connect to a command and control server associated with an autonomous system registered to Alibaba’s advertising network in Hangzhou, using infrastructure that has remained active over an extended period.

Domain registration and DNS records point to providers serving the Chinese domestic market, including HiChina and Feishu, suggesting the attackers deliberately anchor their operations inside regional cloud ecosystems.

This makes simple IP or ASN blocking less effective, as it risks collateral damage to legitimate services hosted on the same platforms. The malware is packed with anti-analysis techniques aimed at frustrating defenders, including checks for debugging tools, network analyzers, and monitoring utilities such as Wireshark, Procmon, and other reverse engineering programs.

If these processes are detected, the malware diverts execution into anti-analysis routines and terminates rather than continuing the infection chain, reducing the chance that researchers can observe its full behavior in controlled environments.

The beacon also interacts with Windows security interfaces and event tracing to weaken runtime scanning and logging, trading off some stability for reduced visibility.

In terms of defense, Seqrite’s report stresses that organizations should treat unexpected zip attachments, especially those involving fitness tests, policy updates, or exam notices, with extra caution even when they appear to come from trusted institutions.

Security teams are advised to tighten email filtering for archives containing LNK files, increase inspection depth for nested folders, and monitor for unusual use of utilities like Bandizip alongside DLLs with uncommon names.

Endpoint monitoring that focuses on in-memory behavior, DLL side loading patterns, and known Cobalt Strike indicators can also help detect this family of attacks before they fully establish a foothold.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.