Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University

A newly uncovered cyber operation has raised concerns among security professionals after a coordinated wave of attacks targeted government institutions in Pakistan.

The campaign, now tracked as Operation Dragon Whistle, used highly convincing phishing emails to trick employees into opening malicious file attachments. Once those files were opened, they set off a chain of events designed to give attackers quiet, persistent access to the victim’s machine.

The attack was built around two separate infection paths, both relying on the same supporting infrastructure in the background.

One path used a weaponized Word document carrying a hidden macro, while the other involved a deceptive PDF file designed to push a fake software installer onto the target system. Together, these two methods gave the attackers more than one way to succeed, even if one path was blocked or ignored.

What made this operation particularly unusual was not just the choice of targets but the tools the attackers chose to use.

Analysts at JoeSecurity identified the campaign after reviewing sandbox submissions, and said in a report shared with Cyber Security News (CSN) that the threat actors had turned Visual Studio Code, a widely trusted coding tool, into a remote access method.

This creative choice allowed their malicious activity to blend in with what looked like ordinary developer software traffic.

Operation Dragon Whistle Uses Malicious LNK Files

The phishing emails were carefully written to resemble internal messages from a consultant working on a government safety project. They referenced specific work items such as ANPR system designs and CAD drawings, which matched the professional context of the targeted organization closely.

The sender’s name and title closely matched those of a known staff member, pointing to prior research on the target before the campaign began.

The first attachment, named CAD Reprot.doc, carried a macro that ran automatically the moment the document was opened. The macro quietly downloaded an executable called code.exe from an attacker-controlled server and began running Visual Studio Code tunnel commands in the background without any visible sign to the user.

During this process, a Microsoft device authentication code was generated and captured by the macro before the user could take any action. That code was then sent to the attackers through a Discord webhook, giving them what they needed to authenticate the compromised machine into a VS Code tunneling session under their control.

Once enrolled, the victim’s computer connected back to the attacker through Microsoft’s own cloud infrastructure, making the traffic appear completely legitimate.

From that point, the threat actor could use the integrated terminal as a remote shell, run commands, access files, or even deploy additional tools directly on the compromised system.

The PDF File and Its Staged Payload

The second attachment, named ANPR Reprot.pdf, presented what appeared to be an Adobe Reader error telling the user their software needed updating. A button inside the document pointed to a ClickOnce installation package that was crafted to look like a legitimate Adobe product but carried none of the proper authentication markers of genuine Adobe software.

Researchers found that the package used an unusual versioning pattern and an all-zero public key token, both signs of a manually assembled impersonation rather than a real release. It appeared designed to install a .NET-based application on the victim’s machine as the next phase of the attack chain.

By the time investigators looked more closely, the attacker’s hosting domain had already been suspended, making it impossible to retrieve the final payload. Based on the structure of the deployment manifest and the available file artifacts, the end goal was most likely to execute a hidden .NET program on the compromised system.

Organizations facing similar threats should pay close attention to unexpected file attachments, even when they appear to come from familiar or trusted contacts.

Monitoring developer tools on non-developer machines and flagging unusual authentication requests can help security teams detect this type of sophisticated attack much earlier in the process.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256 (Email)	ff892c71475c71eccf3ab3f650d7aea30b61c9dc0c39a89b7f3f434469aa8d8b	Phishing email hash
SHA256 (File)	49f304eb2772bf194e21c90bf5f1783770020538c80c0ca71afc5f1adcd19e8	Malicious Word document: CAD Reprot.doc
File Name	CAD Reprot.doc	Word document with hidden auto-executing macro
SHA256 (File)	f3c4a34af566276e95960c156b38aea8a823aa394ed5c43178397be8440b56d	Malicious PDF attachment: ANPR Reprot.pdf
File Name	ANPR Reprot.pdf	Deceptive PDF file delivering ClickOnce payload
URL	hxxps[://]adobe-pdfreader[.]b-cdn[.]net/code[.]exe	Attacker-hosted VS Code executable download URL
URL	hxxps[://]adobe-pdfreader[.]b-cdn[.]net/Adobe[.]application	ClickOnce deployment manifest download URL
SHA256 (Dependency)	11049b198f76e7bc7a4d37b862ac77917697961c68eda70e535604c28969a870	Dependency hash referenced in the ClickOnce manifest

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.