A newly uncovered cyber operation has raised concerns among security professionals after a coordinated wave of attacks targeted government institutions in Pakistan.
The campaign, now tracked as Operation Dragon Whistle, used highly convincing phishing emails to trick employees into opening malicious file attachments. Once those files were opened, they set off a chain of events designed to give attackers quiet, persistent access to the victim’s machine.
The attack was built around two separate infection paths, both relying on the same supporting infrastructure in the background.
One path used a weaponized Word document carrying a hidden macro, while the other involved a deceptive PDF file designed to push a fake software installer onto the target system. Together, these two methods gave the attackers more than one way to succeed, even if one path was blocked or ignored.
What made this operation particularly unusual was not just the choice of targets but the tools the attackers chose to use.
Analysts at JoeSecurity identified the campaign after reviewing sandbox submissions, and said in a report shared with Cyber Security News (CSN) that the threat actors had turned Visual Studio Code, a widely trusted coding tool, into a remote access method.
This creative choice allowed their malicious activity to blend in with what looked like ordinary developer software traffic.
Operation Dragon Whistle Uses Malicious LNK Files
The phishing emails were carefully written to resemble internal messages from a consultant working on a government safety project. They referenced specific work items such as ANPR system designs and CAD drawings, which matched the professional context of the targeted organization closely.
The sender’s name and title closely matched those of a known staff member, pointing to prior research on the target before the campaign began.
The first attachment, named CAD Reprot.doc, carried a macro that ran automatically the moment the document was opened. The macro quietly downloaded an executable called code.exe from an attacker-controlled server and began running Visual Studio Code tunnel commands in the background without any visible sign to the user.
During this process, a Microsoft device authentication code was generated and captured by the macro before the user could take any action. That code was then sent to the attackers through a Discord webhook, giving them what they needed to authenticate the compromised machine into a VS Code tunneling session under their control.
Once enrolled, the victim’s computer connected back to the attacker through Microsoft’s own cloud infrastructure, making the traffic appear completely legitimate.
From that point, the threat actor could use the integrated terminal as a remote shell, run commands, access files, or even deploy additional tools directly on the compromised system.
The PDF File and Its Staged Payload
The second attachment, named ANPR Reprot.pdf, presented what appeared to be an Adobe Reader error telling the user their software needed updating. A button inside the document pointed to a ClickOnce installation package that was crafted to look like a legitimate Adobe product but carried none of the proper authentication markers of genuine Adobe software.
Researchers found that the package used an unusual versioning pattern and an all-zero public key token, both signs of a manually assembled impersonation rather than a real release. It appeared designed to install a .NET-based application on the victim’s machine as the next phase of the attack chain.
By the time investigators looked more closely, the attacker’s hosting domain had already been suspended, making it impossible to retrieve the final payload. Based on the structure of the deployment manifest and the available file artifacts, the end goal was most likely to execute a hidden .NET program on the compromised system.
Organizations facing similar threats should pay close attention to unexpected file attachments, even when they appear to come from familiar or trusted contacts.
Monitoring developer tools on non-developer machines and flagging unusual authentication requests can help security teams detect this type of sophisticated attack much earlier in the process.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 (Email) | ff892c71475c71eccf3ab3f650d7aea30b61c9dc0c39a89b7f3f434469aa8d8b | Phishing email hash |
| SHA256 (File) | 49f304eb2772bf194e21c90bf5f1783770020538c80c0ca71afc5f1adcd19e8 | Malicious Word document: CAD Reprot.doc |
| File Name | CAD Reprot.doc | Word document with hidden auto-executing macro |
| SHA256 (File) | f3c4a34af566276e95960c156b38aea8a823aa394ed5c43178397be8440b56d | Malicious PDF attachment: ANPR Reprot.pdf |
| File Name | ANPR Reprot.pdf | Deceptive PDF file delivering ClickOnce payload |
| URL | hxxps[://]adobe-pdfreader[.]b-cdn[.]net/code[.]exe | Attacker-hosted VS Code executable download URL |
| URL | hxxps[://]adobe-pdfreader[.]b-cdn[.]net/Adobe[.]application | ClickOnce deployment manifest download URL |
| SHA256 (Dependency) | 11049b198f76e7bc7a4d37b862ac77917697961c68eda70e535604c28969a870 | Dependency hash referenced in the ClickOnce manifest |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
