Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/New Malware Evades Detection With Obfuscation and Staged Delivery
Threats

New Malware Evades Detection With Obfuscation and Staged Delivery

Key Takeaways A new, sophisticated malware campaign is targeting Pakistani government employees, specifically staff at the Punjab Safe Cities Authority (PSCA) and PPIC3. The attack leverages...

Marcus Rodriguez
Marcus Rodriguez
April 27, 2026 4 Min Read
45 0

Key Takeaways

  • A new, sophisticated malware campaign is targeting Pakistani government employees, specifically staff at the Punjab Safe Cities Authority (PSCA) and PPIC3.
  • The attack leverages spear-phishing emails containing malicious Word and PDF attachments that employ obfuscation techniques like VBA stomping and staged payload delivery.
  • The malware establishes persistent remote access, utilizing Microsoft’s legitimate VS Code tunnel service for command-and-control and Discord webhooks for compromise notifications, making detection challenging.
  • The custom-built toolset achieved a perfect malicious score in sandbox tests, with no match to known malware families.
  • Defenders should prioritize blocking unapproved CDN domains, monitoring VS Code tunnel activity, and flagging unusual Discord webhook connections.

Sophisticated Malware Campaign Targets Pakistani Government Entities with Advanced Evasion Tactics

A recently identified malware campaign is actively compromising government personnel in Pakistan. Threat actors are deploying highly targeted spear-phishing emails that combine advanced obfuscation methods with staged payload delivery, specifically designed to bypass conventional security defenses.

Table Of Content

  • Key Takeaways
  • Sophisticated Malware Campaign Targets Pakistani Government Entities with Advanced Evasion Tactics
  • Targeted Impersonation and Dual-Attachment Delivery
  • Deep Analysis Confirms Malicious Intent and Persistence
  • Covert Command and Control via Legitimate Services
  • Multi-Stage Delivery and VBA Stomping Techniques
  • What You Should Do

Targeted Impersonation and Dual-Attachment Delivery

The campaign specifically targeted employees of the Punjab Safe Cities Authority (PSCA) and PPIC3. Attackers impersonated an internal consultant and referenced a seemingly legitimate “Safe Jail Project” to establish credibility. This tactic highlights a growing trend where cybercriminals leverage trusted institutional names to enhance the perceived legitimacy of their attacks.

Each spear-phishing email delivered two distinct malicious attachments: a Microsoft Word document named “CAD Reprot.doc” and a PDF file titled “ANPR Reprot.pdf.” The deliberate misspelling in “CAD Reprot.doc” is a common characteristic of files crafted by threat actors. The “ANPR Reprot.pdf” displayed a simulated Adobe Reader error, prompting users to download a harmful file. Both attachments retrieved their malicious payloads from the same infrastructure hosted on BunnyCDN, a legitimate content delivery network, making the associated network traffic more difficult for security tools to flag as suspicious.

Deep Analysis Confirms Malicious Intent and Persistence

JoeReverser analysts conducted a comprehensive sandbox analysis, assigning the Word document a perfect malicious score of 100 out of 100. Operating at a 95% confidence level, the analysis confirmed the campaign’s primary objective: establishing persistent remote access on compromised systems. Detection signals from various security tools, including Suricata, Sigma, YARA, ReversingLabs (52%), and VirusTotal (56%), corroborated these findings, leaving no doubt regarding the attack’s malicious intent.

Covert Command and Control via Legitimate Services

A particularly concerning aspect of this campaign is its innovative use of Microsoft’s legitimate VS Code tunnel service as a covert command-and-control (C2) channel. After the “code.exe” payload is dropped into a victim’s temporary folder and executed, it routes traffic through Microsoft’s infrastructure, making the malicious communication appear as routine developer activity. Furthermore, the threat actors employed Discord webhooks to receive real-time notifications upon successful system compromise, a low-profile method that effectively bypasses most network-level monitoring tools.

The attack achieved a perfect malicious rating across all sandbox tests, and no match to known malware families was found in Malpedia. This confirms that the threat actors are utilizing a custom-built toolset specifically tailored for this targeted campaign. Joe Sandbox confirmed the entire attack chain through Web IDs 1903908, 1903907, and 1903906, which collectively covered the progression from the initial email to the final PDF payload.

Multi-Stage Delivery and VBA Stomping Techniques

The technical sophistication of this campaign lies in the attacker’s engineering of each delivery stage to evade detection. The Word document leverages a technique known as VBA stomping, where the visible macro source code is completely removed, leaving only the compiled p-code. This allows the hidden malicious logic to execute without triggering alerts from many antivirus solutions that primarily scan the readable macro content.

Upon a victim enabling content on the blurred document, the embedded macro’s DownloadAndExfil function silently activates. It utilizes a COM-based HTTP object to retrieve “code.exe” from the domain adobe-pdfreader.b-cdn.net and writes it to the system’s temporary folder via ADODB.Stream. Concurrently, the PDF attachment initiates a parallel infection path: clicking the fake “Update PDF Reader” button triggers an automatic download of an unsigned .NET ClickOnce manifest that mimics legitimate Adobe software. Both infection vectors source their payloads from the same infrastructure, providing the attacker with dual independent opportunities for compromise.

What You Should Do

  • Educate employees to treat any document requesting macro enablement or software updates with extreme caution, especially from unfamiliar or suspicious senders.
  • Implement strict outbound filtering to block connections to CDN domains not explicitly approved for organizational use.
  • Monitor enterprise endpoints for unusual or unauthorized activity related to VS Code tunnel services.
  • Configure network monitoring to flag and block Discord webhook connections originating from non-browser applications.
  • Regularly update and patch all software, operating systems, and security solutions to protect against known vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials

Next Post

Critical Gemini CLI flaw lets attackers run code remotely

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us