CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

A newly uncovered cyber operation has raised concerns among security professionals after a coordinated wave of attacks targeted government institutions in Pakistan. The campaign, now tracked as Operation Dragon Whistle, used highly convincing phishing emails to trick employees into opening malicious file attachments. Once those files were opened, they set off a chain of events […] The post Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University appeared first on Cyber Se

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Operation Dragon Whistle Uses Malicious LNK Files to Target Changzhou University By Tushar Subhra Dutta May 22, 2026 A newly uncovered cyber operation has raised concerns among security professionals after a coordinated wave of attacks targeted government institutions in Pakistan. The campaign, now tracked as Operation Dragon Whistle, used highly convincing phishing emails to trick employees into opening malicious file attachments. Once those files were opened, they set off a chain of events designed to give attackers quiet, persistent access to the victim’s machine. The attack was built around two separate infection paths, both relying on the same supporting infrastructure in the background. One path used a weaponized Word document carrying a hidden macro, while the other involved a deceptive PDF file designed to push a fake software installer onto the target system. Together, these two methods gave the attackers more than one way to succeed, even if one path was blocked or ignored. What made this operation particularly unusual was not just the choice of targets but the tools the attackers chose to use. Analysts at JoeSecurity identified the campaign after reviewing sandbox submissions, and said in a report shared with Cyber Security News (CSN) that the threat actors had turned Visual Studio Code, a widely trusted coding tool, into a remote access method. This creative choice allowed their malicious activity to blend in with what looked like ordinary developer software traffic. Operation Dragon Whistle Uses Malicious LNK Files The phishing emails were carefully written to resemble internal messages from a consultant working on a government safety project. They referenced specific work items such as ANPR system designs and CAD drawings, which matched the professional context of the targeted organization closely. The sender’s name and title closely matched those of a known staff member, pointing to prior research on the target before the campaign began. The first attachment, named CAD Reprot.doc, carried a macro that ran automatically the moment the document was opened. The macro quietly downloaded an executable called code.exe from an attacker-controlled server and began running Visual Studio Code tunnel commands in the background without any visible sign to the user. Capability Preview (Source – JOESecurity) During this process, a Microsoft device authentication code was generated and captured by the macro before the user could take any action. That code was then sent to the attackers through a Discord webhook, giving them what they needed to authenticate the compromised machine into a VS Code tunneling session under their control. Once enrolled, the victim’s computer connected back to the attacker through Microsoft’s own cloud infrastructure, making the traffic appear completely legitimate. From that point, the threat actor could use the integrated terminal as a remote shell, run commands, access files, or even deploy additional tools directly on the compromised system. The PDF File and Its Staged Payload The second attachment, named ANPR Reprot.pdf, presented what appeared to be an Adobe Reader error telling the user their software needed updating. A button inside the document pointed to a ClickOnce installation package that was crafted to look like a legitimate Adobe product but carried none of the proper authentication markers of genuine Adobe software. Researchers found that the package used an unusual versioning pattern and an all-zero public key token, both signs of a manually assembled impersonation rather than a real release. It appeared designed to install a .NET-based application on the victim’s machine as the next phase of the attack chain. Abuse VS Code Remote Tunnels (Source – JOESecurity) By the time investigators looked more closely, the attacker’s hosting domain had already been suspended, making it impossible to retrieve the final payload. Based on the structure of the deployment manifest and the available file artifacts, the end goal was most likely to execute a hidden .NET program on the compromised system. Organizations facing similar threats should pay close attention to unexpected file attachments, even when they appear to come from familiar or trusted contacts. Monitoring developer tools on non-developer machines and flagging unusual authentication requests can help security teams detect this type of sophisticated attack much earlier in the process. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 (Email) ff892c71475c71eccf3ab3f650d7aea30b61c9dc0c39a89b7f3f434469aa8d8b Phishing email hash SHA256 (File) 49f304eb2772bf194e21c90bf5f1783770020538c80c0ca71afc5f1adcd19e8 Malicious Word document: CAD Reprot.doc File Name CAD Reprot.doc Word document with hidden auto-executing macro SHA256 (File) f3c4a34af566276e95960c156b38aea8a823aa394ed5c43178397be8440b56d Malicious PDF attachment: ANPR Reprot.pdf File Name ANPR Reprot.pdf Deceptive PDF file delivering ClickOnce payload URL hxxps[://]adobe-pdfreader[.]b-cdn[.]net/code[.]exe Attacker-hosted VS Code executable download URL URL hxxps[://]adobe-pdfreader[.]b-cdn[.]net/Adobe[.]application ClickOnce deployment manifest download URL SHA256 (Dependency) 11049b198f76e7bc7a4d37b862ac77917697961c68eda70e535604c28969a870 Dependency hash referenced in the ClickOnce manifest Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Authorities Have Taken Down “First VPN” Used in Ransomware Attacks New VoidStealer Malware Bypasses Chrome’s Protection to Steal User Data TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable Latest News Cyber Security News Hackers Hide Malware Payloads Inside Nested macOS-Like Folders to Evade Scanning Cyber Security News Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data Cyber Security News CISA Warns of Trend Micro Apex One Vulnerability Exploited in Attacks Cyber Security News FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA Cyber Security News Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗