New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection
The attack was directed at staff from the Punjab Safe Cities Authority (PSCA) and PPIC3, with the threat actor impersonating an internal consultant and referencing a government project called the “Safe Jail Project.” This approach reflects a growing tactic where attackers use trusted institutional names to gain credibility.
The campaign delivers two malicious attachments through the same email. The first is a Word document named “CAD Reprot.doc,” a deliberate misspelling often seen in threat-actor-crafted files.
The second is a PDF named “ANPR Reprot.pdf,” which shows a fake Adobe Reader error designed to push users into downloading a harmful file. Both attachments pull payloads from the same infrastructure hosted on BunnyCDN, a legitimate content delivery network, making the traffic harder for security tools to flag.
JoeReverser analysts identified the full scope of this campaign after a thorough sandbox analysis, assigning the Word document a perfect score of 100 out of 100 for malicious behavior.
Working at a 95% confidence level, analysts confirmed the campaign was built to establish persistent remote access on compromised machines.
Detection signals from Suricata, Sigma, YARA, ReversingLabs at 52%, and VirusTotal at 56% all supported the same verdict, leaving no reasonable doubt about the attack’s intent.
What makes this campaign especially concerning is its use of Microsoft’s legitimate VS Code tunnel service as a hidden command-and-control channel.
Once the payload code.exe is dropped into the victim’s temporary folder and executed, it routes traffic through Microsoft’s own infrastructure, making the connection look like routine developer activity.
The threat actor also used Discord webhooks to receive instant notifications whenever a system was compromised, a low-profile method that bypasses most network-level monitoring tools.
The attack scored a perfect malicious rating across all sandbox tests, and no known malware family match was found in Malpedia, confirming this is a custom-built toolset made for a specific target.
Joe Sandbox confirmed the full chain through Web IDs 1903908, 1903907, and 1903906, each covering a different part from the email to the final PDF.
The most technically significant aspect of this campaign is how the attacker engineered each delivery step to pass through security defenses without being caught.
The Word document relies on a technique called VBA stomping, where the visible macro source code is completely removed, leaving only the compiled p-code behind.
Most antivirus tools that check macro content in Word documents scan the readable portion and find nothing, letting the hidden logic run without triggering an alert.
Once the victim clicks “Enable Content” on the blurred document, the macro’s DownloadAndExfil function activates quietly in the background.
It uses a COM-based HTTP object to pull code.exe from the domain adobe-pdfreader.b-cdn.net and writes it to the system’s temp folder through ADODB.Stream.
The PDF runs a parallel path, where clicking the fake “Update PDF Reader” button starts an automatic download of an unsigned .NET ClickOnce manifest that impersonates Adobe software. Both paths feed from the same infrastructure, giving the attacker two independent chances to compromise the target.
Security teams are advised to treat any document that asks users to enable macros or install software updates as a potential threat, particularly when arriving from unfamiliar senders.
Blocking CDN domains not linked to approved services, monitoring unusual VS Code tunnel activity on enterprise endpoints, and flagging Discord webhook connections from non-browser applications are practical steps that can help detect or stop similar attacks early.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection appeared first on Cyber Security News.
The Sheep Detectives is the cutest, sweetest movie ever made about accepting death and confronting…
The PowerWash Simulator series has announced its biggest collaboration yet: a Star Wars DLC for…
HBO has shared a first-look at Stuart Fails to Save the Universe, its upcoming multiverse…
A new phishing campaign is actively targeting Indian taxpayers and businesses by impersonating the Income…
Security researchers have raised a warning about two widely trusted tools, macOS textutil and KeePassXC,…
The European Commission has formally proposed measures requiring Google to share anonymized user search data…
This website uses cookies.