New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection

HomeCyber Security News New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection By Tushar Subhra Dutta April 27, 2026 A newly discovered malware campaign is targeting government employees in Pakistan using carefully crafted spear-phishing emails that combine obfuscation and staged payload delivery to stay hidden from security tools. The attack was directed at staff from the Punjab Safe Cities Authority (PSCA) and PPIC3, with the threat actor impersonating an internal consultant and referencing a government project called the “Safe Jail Project.” This approach reflects a growing tactic where attackers use trusted institutional names to gain credibility. The campaign delivers two malicious attachments through the same email. The first is a Word document named “CAD Reprot.doc,” a deliberate misspelling often seen in threat-actor-crafted files. The second is a PDF named “ANPR Reprot.pdf,” which shows a fake Adobe Reader error designed to push users into downloading a harmful file. Both attachments pull payloads from the same infrastructure hosted on BunnyCDN, a legitimate content delivery network, making the traffic harder for security tools to flag. JoeReverser analysts identified the full scope of this campaign after a thorough sandbox analysis, assigning the Word document a perfect score of 100 out of 100 for malicious behavior. Working at a 95% confidence level, analysts confirmed the campaign was built to establish persistent remote access on compromised machines. Detection signals from Suricata, Sigma, YARA, ReversingLabs at 52%, and VirusTotal at 56% all supported the same verdict, leaving no reasonable doubt about the attack’s intent. What makes this campaign especially concerning is its use of Microsoft’s legitimate VS Code tunnel service as a hidden command-and-control channel. Once the payload code.exe is dropped into the victim’s temporary folder and executed, it routes traffic through Microsoft’s own infrastructure, making the connection look like routine developer activity. The threat actor also used Discord webhooks to receive instant notifications whenever a system was compromised, a low-profile method that bypasses most network-level monitoring tools. Analysis Workflow (Source – JoeReverser) The attack scored a perfect malicious rating across all sandbox tests, and no known malware family match was found in Malpedia, confirming this is a custom-built toolset made for a specific target. Joe Sandbox confirmed the full chain through Web IDs 1903908, 1903907, and 1903906, each covering a different part from the email to the final PDF. Multi-Stage Delivery and VBA Stomping The most technically significant aspect of this campaign is how the attacker engineered each delivery step to pass through security defenses without being caught. The Word document relies on a technique called VBA stomping, where the visible macro source code is completely removed, leaving only the compiled p-code behind. Most antivirus tools that check macro content in Word documents scan the readable portion and find nothing, letting the hidden logic run without triggering an alert. Once the victim clicks “Enable Content” on the blurred document, the macro’s DownloadAndExfil function activates quietly in the background. It uses a COM-based HTTP object to pull code.exe from the domain adobe-pdfreader.b-cdn.net and writes it to the system’s temp folder through ADODB.Stream. The PDF runs a parallel path, where clicking the fake “Update PDF Reader” button starts an automatic download of an unsigned .NET ClickOnce manifest that impersonates Adobe software. Both paths feed from the same infrastructure, giving the attacker two independent chances to compromise the target. IOC Relationship Map (Source – JoeReverser) Security teams are advised to treat any document that asks users to enable macros or install software updates as a potential threat, particularly when arriving from unfamiliar senders. Blocking CDN domains not linked to approved services, monitoring unusual VS Code tunnel activity on enterprise endpoints, and flagging Discord webhook connections from non-browser applications are practical steps that can help detect or stop similar attacks early. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Bitwarden CLI Compromised in Supply Chain Attack via GitHub Actions Claude AI Agents Close 186 Deals in Anthropic’s Marketplace Experiment Ransomware Hackers Develop Custom Exfiltration Tool to Steal Sensitive Data Xiongmai IP Camera Vulnerability Let Attackers Bypass Authentication and have Remote Access Gh0st RAT and CloverPlus Adware Delivered Together in New Dual-Payload Malware Campaign Latest News Cyber Security ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants Cyber Security News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks Cyber Security News New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Uncategorized Hackers Using Fake Income Tax Department’s Notice to Deploy Malware Cyber Security News Researchers Warn macOS textutil and KeePassXC Can Become Attack Primitives in Automation