A newly uncovered cyber campaign dubbed “Operation Dragon Whistle” is targeting China’s education sector with highly tailored spear-phishing attacks that deploy Cobalt Strike beacons via deceptive PDF/LNK files.
The attackers crafted emails that impersonate official university communications, urging students and faculty to review an important testing notice.
The message includes a ZIP attachment named in Chinese to resemble an official document related to fitness assessments, a requirement that directly impacts graduation eligibility. This context creates urgency and significantly increases the likelihood of user interaction.
What distinguishes this campaign is its precision. The phishing emails are not generic but deeply aligned with real university processes.
The decoy document replicates an official notice and even includes verifiable elements such as staff names, contact numbers, institutional seals, and QQ group references. These details suggest either insider knowledge or extensive reconnaissance.
The attack primarily targets students, faculty, administrative staff, and sports department personnel within academic institutions governed by national education policies. By leveraging a compliance-driven process, the attackers effectively manipulate victims into executing the malicious attachment.
Once the ZIP file is opened, the victim encounters a file disguised as a PDF but actually a malicious LNK shortcut. This file initiates a multi-stage execution chain while appearing harmless.
The LNK file abuses the legitimate explorer.exe binary to execute a hidden VBScript file located deep within nested directories. This technique avoids triggering common endpoint detection systems that monitor direct script execution.
Seqrite Labs said in a report shared with GBhackes, the operation focuses specifically on Changzhou University, exploiting the institution’s mandatory 2026 National Student Physical Fitness and Health Standards testing cycle to lure victims.
The VBScript acts as the orchestrator. It simultaneously opens a legitimate-looking decoy PDF to distract the user while silently launching a bundled executable, Bandizip, from a concealed directory. The script includes slight execution delays to ensure the decoy document appears first, masking any suspicious behavior.
The attack then transitions into DLL sideloading. The legitimate Bandizip application loads a malicious DLL named ark.x64.dll due to Windows’ search order behavior. This allows the malware to execute within a trusted process, reducing detection risk.
PDF LNK Files Deploy Cobalt Strike
The malicious DLL employs advanced anti-analysis techniques, including debugger detection and process monitoring. It checks for tools like Wireshark, Procmon, and Fiddler, and halts execution if such environments are detected.
The SFX module, co-located with the legitimate executable, was loaded into memory only after successful verification that no debugging interfaces, sandbox artifacts, or endpoint monitoring processes were active.
After validation, the malware decrypts an embedded payload in memory using a self-extracting archive mechanism. It bypasses security controls such as AMSI and ETW, limiting visibility to antivirus and endpoint detection tools.
The final payload is a Cobalt Strike Beacon, which is loaded directly into memory without touching disk. It establishes communication with a command-and-control server hosted on Alibaba Cloud infrastructure. This fileless execution approach significantly reduces forensic traces.
Seqrite Labs attributes the campaign to threat actor UNG0002 with medium to high confidence, citing strong similarities with a previously documented campaign known as Operation Cobalt Whisper. Both operations rely heavily on LNK-based delivery and VBScript execution.
Infrastructure analysis reveals the use of Alibaba Cloud-hosted servers, specifically the IP address 60.205.186.162 linked to the domain lysander[.]asia. The presence of Chinese service providers such as HiChina and Feishu further supports attribution to a China-based actor.
Operation Dragon Whistle highlights the increasing sophistication of targeted attacks in the education sector, where cultural and institutional awareness is weaponized to maximize success.
IOCs
| File Name | SHA256 |
| 常州大学2026年《国家学生体质健康标准》测试通知最终版.zip | e7aff6a55a7866776272d9913dfbf9d7db33fc9de6aced22f2a195feebb0e85f |
| 常州大学2026年《国家学生体质健康标准》测试通知.pdf | fe11b199ada23d5ac25efc4215e67f4ff617ccb4d429eb64412072687367ca1c |
| 常州大学2026年《国家学生体质健康标准》测试通知.pdf.lnk | cd99e83d241cfbb41bfcd0bc622a87d16268e710ca7d736d0c5f44774e0056e2 |
| eb14d9e35a3bf0a933297f861bee0be9e6b9061fe4573a81ac92b71d55b6474f | |
| Bandizip.exe | c937eca7c4c9b98df9257d986e666d25411aac5fa39d21f7018dd2e1663f0c76 |
| ark.x64.dll | 35a478f53f64bd412f374c65360fdba0518749537193669a8fe08d14bed65a2a |
| Cobalt Strike Beacon | ed7087e3afba4b320bdf04f32d3a6c567effd3d18a97682968e567000e70b335 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
