Cybersecurity experts have uncovered a sophisticated malware campaign targeting government employees in Pakistan, using highly deceptive spear-phishing emails combined with advanced obfuscation techniques and staged payload delivery to evade detection systems.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Attackers Impersonate Government Insider
The attack has been linked to personnel from the Punjab Safe Cities Authority (PSCA) and PPIC3 units. Threat actors reportedly impersonated an internal consultant and referenced a legitimate government initiative known as the “Safe Jail Project” to increase credibility and trick recipients into opening malicious attachments.
According to security analysis, the campaign delivers two separate malicious files in a single email. The first is a Microsoft Word document disguised as “CAD Reprot.doc,” intentionally misspelled to appear authentic while avoiding simple signature-based detection. The second attachment is a PDF titled “ANPR Reprot.pdf,” which displays a fake Adobe Reader error message prompting users to download an additional file.
Trusted Cloud Services Used to Hide Malicious Traffic
Both attachments retrieve payloads from infrastructure hosted on BunnyCDN, a legitimate content delivery network service. By abusing trusted cloud infrastructure, attackers make malicious traffic appear normal, significantly reducing the likelihood of detection by traditional security tools.
Researchers conducting sandbox analysis identified the full attack chain and confirmed that the Word document demonstrated highly malicious behavior with a near-perfect risk score. The campaign is assessed as a multi-stage intrusion operation designed to establish persistent remote access on compromised systems.
One of the most concerning aspects of the attack is its reliance on Microsoft’s legitimate VS Code tunnel service. Once executed, the malware payload is dropped into a temporary system directory and routes command-and-control communication through trusted Microsoft infrastructure. This technique allows malicious traffic to blend in with normal developer or enterprise activity, making detection extremely difficult.
Discord Webhooks Used for Victim Alerts
In addition, attackers used Discord webhooks as a covert notification system to receive real-time alerts when a victim system was successfully compromised. This low-profile communication method bypasses many traditional network monitoring and filtering solutions.
Security researchers noted that no known malware family matched this sample, suggesting it is a custom-built toolset designed for a specific targeting operation rather than a widely distributed malware strain. Multiple analysis environments confirmed consistent malicious indicators across the infection chain.
The most technically advanced component of the campaign lies in its multi-stage delivery mechanism and macro-based exploitation technique. The Word document uses VBA stomping, a method where visible macro code is removed while compiled p-code remains hidden. This allows the malware to bypass standard macro analysis tools that typically inspect readable code.
Once a victim enables content in the document, a hidden function activates and silently downloads an executable file using a COM-based HTTP request. The file is then stored in the system’s temporary directory using Windows-based streaming objects, ensuring stealthy execution.
The PDF attachment follows a parallel infection path by displaying a fake update prompt that initiates the download of a malicious .NET ClickOnce application disguised as legitimate Adobe software. Both infection routes ultimately lead to the same command infrastructure, providing redundancy in case one vector fails.
Layered Evasion Tactics
The campaign is designed with layered redundancy, stealth, and persistence in mind. By combining legitimate cloud services, fake certificates, obfuscated code, and staged execution, attackers significantly increase their chances of bypassing enterprise defenses.
Organizations are advised to block unauthorized CDN domains, monitor abnormal use of VS Code tunneling services, and detect suspicious Discord webhook traffic originating from non-browser applications. Additionally, strict email filtering, macro execution controls, and sandbox analysis of attachments are strongly recommended.
