EXECUTIVE SUMMARY
The threat actors behind this campaign have been actively targeting staff members of the Punjab Safe Cities Authority (PSCA) and PPIC3 in Pakistan with a multi-stage phishing campaign. The attack leverages two distinct infection vectors, both relying on the same underlying infrastructure, and is designed to convince the recipient to open attachments that contain malicious macros. Once the macro is executed, it downloads and executes code.exe, captures the Microsoft device authorization code generated during execution, and exfiltrates it to Discord webhooks. The attackers have also been using Visual Studio Code as a living-off-the-land tool, combined with Discord webhooks for data exfiltration, to maintain control of the compromised systems.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The threat actors behind this campaign have been actively targeting staff members of the Punjab Safe Cities Authority (PSCA) and PPIC3 in Pakistan with a multi-stage phishing campaign. The attack leverages two distinct infection vectors, both relying on the same underlying infrastructure, and is designed to convince the recipient to open attachments that contain malicious macros. Once the macro is executed, it downloads and executes code.exe, captures the Microsoft device authorization code generated during execution, and exfiltrates it to Discord webhooks. The attackers have also been using Visual Studio Code as a living-off-the-land tool, combined with Discord webhooks for data exfiltration, to maintain control of the compromised systems.[emaillocker id="1283"]
The malware infects systems through phishing emails with attachments containing malicious macros, which are designed to download and execute code.exe. The code.exe executable uses Visual Studio Code Remote Tunnels to obtain malicious access to the computer, and the attackers maintain control by using Discord webhooks to exfiltrate data and send status updates. The attackers' objective is to enroll the compromised machine into a VS Code Remote Tunnels workflow controlled by the attacker, giving them remote access to the machine through legitimate Microsoft infrastructure.
This threat is significant because it combines credible spear-phishing with sophisticated use of trusted developer tooling and legitimate cloud services to reduce detection opportunities and preserve operational flexibility. Organisations should take defensive actions such as patching, monitoring, and endpoint protection to prevent such attacks. Additionally, having a strong security awareness program in place to educate employees on the risks of phishing attacks and the importance of cautious behavior when receiving unsolicited emails can help mitigate the risk of such attacks.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/operation-dragon-whistle-uses-malicious-lnk-files/
https://joesecurity.org/blog/8858614039441223943