New Operation Dragon Whistle Phishing Campaign Targets Universities

Security researchers have discovered a highly sophisticated cyber threat targeting academic institutions. Specifically, Seqrite Labs recently uncovered the Operation Dragon Whistle phishing campaign. Threat actors are actively weaponizing custom social engineering lures to target the Chinese educational sector. For instance, the attackers directly focus on students and faculty at Changzhou University. They trick victims using an urgent institutional announcement regarding mandatory physical testing schedules. Consequently, this clever campaign creates a high level of compliance among users.

The Psychology of the Lure

To begin with, the malicious emails deliver a carefully named compressed attachment. The file mimics an official university notification about the mandatory 2026 fitness testing cycle. According to the report, “What makes this campaign particularly effective is the precision of its social engineering”. The hackers knew that failing these assessments directly impacts graduation eligibility. Therefore, this pressure significantly increases the probability of victim engagement. Upon extraction, the archive presents a malicious double-extension LNK file masquerading as a legitimate PDF. Furthermore, the document contains real staff names and direct phone numbers to eliminate any doubt.

Analyzing the Multi-Stage Infection Chain

Living-Off-the-Land Tactics

When a user clicks the shortcut, it initiates a complex execution sequence. First, the shortcut abuses a native Windows component to run a hidden script. The technical analysis shows that “It Abuses the legitimate explorer.exe binary to execute the VBScript payload buried four folders deep”. This tactic effectively helps the malware avoid detection by common endpoint security solutions. Next, the lightweight VBScript dynamically constructs paths to launch a decoy PDF alongside a malicious application. Thus, the victim views a real university notice while infection occurs silently in the background. Consequently, the user remains completely unaware of the threat. In addition, an 800ms pause ensures the decoy renders fully before the backend attack executes.

Weaponized Archive Software and Side-Loading

Subsequently, the infection chain transitions into a stealthy DLL side-loading phase. The script launches a clean version of Bandizip from a deeply nested directory. However, the threat actors place a malicious library named ark.x64.dll right next to it. Because of standard Windows search rules, the legitimate program loads the malicious file into memory. In isolation, Bandizip is a clean utility. However, the report highlights that “in this campaign, the threat actor has deliberately weaponized it as a LOL (Living off the Land) tool”.

Evasion and In-Memory Execution

Furthermore, the malicious DLL utilizes advanced anti-debugging techniques to hinder dynamic analysis. The program regularly scans active memory to discover open monitoring tools. For example, it looks for utilities like Wireshark and Process Monitor. If it detects a match, it immediately terminates execution to evade researchers. After passing these checks, an obfuscated SFX module extracts the final payload. Specifically, the malware alters Windows security tools like AMSI and ETW. The analysis explains that “By disrupting runtime scanning, logging, and telemetry generation, the malware reduces the effectiveness of antivirus” solutions.

Attribution to Threat Actor UNG0002

Ultimately, the final stage drops a dangerous Cobalt Strike Beacon directly into memory. This implant establishes an outbound command-and-control connection to a remote server. Researchers observed that the infrastructure resolves to lysander.asia. In addition, the setup uses Chinese cloud services to evade geographic blocking. Specifically, the hackers use automated identity verification mechanisms to hide their operations. Seqrite Labs attributes this Operation Dragon Whistle phishing campaign to a group known as UNG0002. The team notes strong structural overlaps with previous malicious campaigns. Therefore, the security firm shares this vital threat intelligence to protect global infrastructure. Software developers and university networks must remain vigilant against these highly targeted digital threats.