A newly identified malware campaign is leveraging advanced obfuscation techniques and multi-stage payload delivery to bypass traditional security defenses, according to recent analysis from Joe Sandbox.
The attack begins with a highly targeted spear-phishing email sent to employees of the Punjab Safe Cities Authority (PSCA) and PPIC3 in Pakistan.
The email impersonates an internal consultant and references a credible infrastructure initiative titled the “Safe Jail Project,” increasing the likelihood of user interaction.
To enhance urgency and legitimacy, the email is marked as high priority and includes a read receipt request.
The attack, which primarily targets government-linked organizations, highlights a growing trend of threat actors abusing legitimate services and layered infection chains to remain undetected.
It contains two malicious attachments: a Word document named “CAD Reprot.doc” and a PDF file “ANPR Reprot.pdf,” both deliberately misspelled to mimic rushed internal communications.
Multi-Stage Infection Chain
The Word document contains a malicious VBA macro that executes only when users enable content. Once activated, the macro downloads a payload named “code.exe” from a BunnyCDN-hosted domain using the IServerXMLHTTPRequest2 object.
Notably, the macro employs VBA stomping, a technique that hides malicious code in compiled P-code to evade static analysis tools.
Simultaneously, the attached PDF serves as a secondary vector of infection. It displays a fake Adobe Reader error message prompting users to “Update PDF Reader.”
Clicking the button triggers a drive-by download of a malicious ClickOnce application named “Adobe.application,” which fetches a secondary payload disguised as “Adobe.exe.”
One of the most sophisticated aspects of this campaign is its use of legitimate platforms for command-and-control (C2) communication.
The malware executes “code.exe” with parameters that establish a persistent connection via Microsoft’s Visual Studio Code tunnel service. This allows attackers to maintain remote access while blending malicious traffic with trusted infrastructure.
Additionally, the malware uses Discord webhooks to exfiltrate data. Functions embedded in the payload send execution status and potentially sensitive information to attacker-controlled Discord channels, further complicating detection at the network level.
Evasion and Persistence Techniques
The malware incorporates several evasion strategies to avoid detection and analysis:
- Process enumeration using tasklist.exe to detect existing instances or sandbox environments.
- Unsigned ClickOnce manifests with null public key tokens to bypass trust checks.
- Typosquatted file names and Adobe branding impersonation to deceive users.
- Automatic payload delivery via CDN-hosted infrastructure, reducing reliance on suspicious domains.
These techniques, combined with staged payload delivery, make the malware highly resilient against conventional antivirus and endpoint detection systems.
Security analysis assigns the sample a 100/100 malicious score with a 95% confidence level. Multiple detection engines, including Suricata, Sigma, YARA, and VirusTotal, corroborate the findings.
The presence of functional macro-based downloaders, confirmed payload execution, and attacker-controlled infrastructure leaves little room for false positives.
This campaign underscores a broader shift in attacker tactics, where legitimate services such as Microsoft VS Code tunnels and Discord are increasingly weaponized.
Organizations are advised to turn off macros by default, monitor unusual use of developer tools like VS Code tunnels, and implement advanced behavioral detection systems to identify suspicious activity across endpoints and networks.
By operating within trusted ecosystems, threat actors can evade traditional security controls that rely heavily on domain reputation and signature-based detection.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
