Attackers are embedding Windows malware inside nested folder structures that mimic macOS system paths, using deeply buried payloads to evade automated scanning and casual inspection in a sophisticated spear-phishing campaign targeting Chinese university students.
Operation Dragon Whistle Targets University Networks
The campaign, tracked by Seqrite Labs as “Operation Dragon Whistle,” targeted students and staff at Changzhou University in China. Spear-phishing emails impersonated official university administrators, carrying a ZIP attachment with a Chinese filename referencing national student physical fitness health standards.
The social engineering leveraged institutional urgency around compulsory fitness testing and graduation requirements. Recipients were urged to open the archive, which contained a convincing decoy PDF matching real university paperwork while quietly initiating malware execution.
Seqrite linked the activity to a threat actor tracked as UNG0002, noting overlaps with a prior campaign called Operation Cobalt Whisper that also relied on malicious LNK files and obfuscated VBScript. The operation represents a deliberate expansion of this group’s focus into mainland China’s academic sector.
Nested Folder Obfuscation and Living-off-the-Land Execution
The malicious ZIP file contains four levels of nested folders imitating macOS metadata directories. This structure buries payload files deep enough that many antivirus engines and archive viewers fail to inspect them thoroughly.
The outer layer presents a double-extension LNK file posing as a PDF document. When clicked, it abuses the legitimate Windows Explorer process to execute a hidden VBScript payload, avoiding script interpreters that security tools might flag. The VBScript, named “chromedo.vbs,” opens the decoy PDF while silently launching “Bandizip.exe” from the nested directories.
A brief delay between actions ensures the decoy appears seamlessly. The infection then shifts to DLL side-loading: a malicious “ark_x86.dll” in the same directory as Bandizip.exe is loaded via Windows’ normal DLL search order. The exported function “CreateArk” deploys anti-debugging checks and decryption routines, ultimately running an in-memory Cobalt Strike beacon without writing a conventional executable to disk.
Infrastructure Anchoring and Defensive Implications
Seqrite’s investigation identified overlapping infrastructure across multiple campaigns using similar LNK files, nested folders, and Bandizip side-loading to deliver Cobalt Strike payloads. The final beacon connects to a command-and-control server within Alibaba’s advertising network in Hangzhou, anchored in regional cloud ecosystems to complicate IP-based blocking.
The malware includes anti-analysis checks for Wireshark, Procmon, and other reverse-engineering tools, diverting execution into termination routines if detected. It also interacts with Windows security interfaces and event tracing to weaken runtime logging.
Organizations should treat unexpected ZIP attachments referencing fitness tests, policy updates, or exam notices with heightened scrutiny, even from trusted institutions. Security teams should tighten email filtering for archives containing LNK files, increase inspection depth for nested folders, and monitor for unusual Bandizip usage alongside uncommon DLL names.
This campaign underscores how threat actors continue to refine social engineering and technical obfuscation for targeted academic environments. As attackers anchor operations inside legitimate cloud ecosystems and exploit trusted software side-loading, defenders must shift focus toward in-memory behavior analysis and DLL loading patterns to catch these attacks before they establish a foothold.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
