Hackers Hide Malware In Nested macOS-Like Folders To Evade Detection

Threat actor UNG0002 is actively targeting the Chinese education sector with a sophisticated spear-phishing campaign dubbed “Operation Dragon Whistle.”

According to researchers at Seqrite Labs, the attackers are focusing on students and faculty at Changzhou University.

The campaign uses highly contextual lures tied to the university’s mandatory 2026 National Student Physical Fitness and Health Standards testing cycle to create a false sense of urgency.

The attack begins with a spear-phishing email sent from a free NetEase account that impersonates the university’s official administration. It includes a malicious ZIP attachment named after the 2026 fitness testing notice.

By referencing specific university staff, direct phone numbers, and QQ group IDs, the threat actors achieve a high level of social engineering fidelity that bypasses initial skepticism.

Hackers Hide Nested Malware

Upon opening the ZIP archive, victims see an LNK file that appears to be a PDF. The attackers cleverly bury the actual malicious payloads inside four levels of nested folders that mimic macOS metadata directory naming conventions.

This structure effectively hides the payload from automated archive scanners and casual manual inspection.

Clicking the LNK file triggers a complex, multi-stage infection process:

• The LNK abuses the legitimate explorer.exe binary to execute a hidden VBScript payload named chromedo.vbs.
• The VBScript dynamically opens a legitimate-looking decoy PDF to distract the victim.
• Simultaneously, the script silently launches a weaponized version of Bandizip.exe in the background, without prompting the user.
• Bandizip.exe performs DLL sideloading by loading an attacker-controlled file, ark.x64.dll, from its local directory.

According to Seqrite research, the loaded DLL immediately deploys multiple anti-debugging and evasion checks.

It scans for active monitoring tools like Wireshark and Process Monitor, halting execution if an analysis environment is detected.

Once the environment is deemed safe, the malware unpacks an SFX payload in memory, disrupts security mechanisms like AMSI and ETW, and ultimately deploys a Cobalt Strike Beacon.

The entire payload executes directly in memory to minimize on-disk artifacts, while command-and-control (C2) communications route through Alibaba Cloud infrastructure via the domain lysander[.]asia.

Indicators of Compromise (IOCs)

File Type / Component	SHA256 Hash
Malicious ZIP Archive	e7aff6a55a7866776272d9913dfbf9d7db33fc9de6aced22f2a195feebb0e85f
Decoy PDF	fe11b199ada23d5ac25efc4215e67f4ff617ccb4d429eb64412072687367ca1c
Malicious LNK File	cd99e83d241cfbb41bfcd0bc622a87d16268e710ca7d736d0c5f44774e0056e2
Phishing Email	eb14d9e35a3bf0a933297f861bee0be9e6b9061fe4573a81ac92b71d55b6474f
Bandizip.exe	c937eca7c4c9b98df9257d986e666d25411aac5fa39d21f7018dd2e1663f0c76
ark.x64.dll	35a478f53f64bd412f374c65360fdba0518749537193669a8fe08d14bed65a2a

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Hide Malware In Nested macOS-Like Folders To Evade Detection appeared first on Cyber Security News.