Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The attack began with a malicious ZIP sent as an email attachment to lure the victim into opening it (‘delivers a ZIP attachment named…’).
• [T1204.002] User Execution: Malicious File – The victim had to click the disguised LNK/PDF file to trigger the infection chain (‘clicking it triggers the entire execution chain’).
• [T1059.005] Command and Scripting Interpreter: Visual Basic – A VBScript file orchestrated the decoy opening and malicious execution (‘which contains the following code’).
• [T1036] Masquerading – The LNK file masqueraded as a PDF document and the campaign used official-looking university content (‘displaying a PDF icon and carrying a .pdf filename’).
• [T1564.001] Hidden Files and Directories – The payload was buried in four nested folders to evade inspection (‘Four levels of nested folders’).
• [T1574.002] DLL Side-Loading – Bandizip.exe loaded the attacker-controlled ark.x64.dll from its local directory (‘loaded the malicious DLL named ark.x64.dll’).
• [T1027] Obfuscated Files or Information – Strings and payloads were decrypted at runtime to hinder analysis (‘memory regions allocated via VirtualAlloc, combined with custom decryption loops’).
• [T1622] Debugger Evasion – The DLL used checks like CheckRemoteDebuggerPresent and IsDebuggerPresent to resist analysis (‘implementing multiple anti-debugging techniques’).
• [T1497] Virtualization/Sandbox Evasion – The malware checked for analysis environments and stopped if monitoring tools were present (‘avoid running inside monitored or researcher-controlled environments’).
• [T1497.001] System Checks – It enumerated processes and compared them against a blacklist of tools (‘enumerates running processes’).
• [T1218] Signed Binary Proxy Execution – The actor abused the legitimate explorer.exe binary and Bandizip.exe to execute payloads (‘Abuses the legitimate explorer.exe binary’).
• [T1106] Native API – The malware relied on Windows APIs such as CreateToolhelp32Snapshot and Process32First/Next (‘Windows APIs including CreateToolhelp32Snapshot’).
• [T1057] Process Discovery – The DLL enumerated active processes to identify analysis tools (‘To identify analysis environments, the DLL enumerates running processes’).
• [T1129] Shared Modules – The malicious DLL was loaded as a shared module by the legitimate Bandizip process (‘loaded into memory under a legitimate process context’).
• [T1620] Reflective Code Loading – The SFX payload was dynamically loaded into memory and executed without disk persistence (‘loaded into process memory and executed directly without disk persistence’).
• [T1071.001] Application Layer Protocol: Web Protocols – The Beacon attempted to establish outbound command-and-control communication (‘attempted to establish command-and-control (C2) communication’).
• [T1105] Ingress Tool Transfer – The staged payloads and final Beacon were unpacked and loaded into memory during execution (‘decrypted the final-stage component entirely in memory’).
• [T1005] Data from Local System – The document lure and local execution chain leveraged system files and local decoy content (‘opens the decoy PDF’).