Cybercriminals continue to refine malware delivery techniques, making attacks harder to detect and easier to execute against targeted organizations. A newly discovered campaign aimed at government employees in Pakistan demonstrates how modern threat actors combine spear-phishing, staged payload delivery, and advanced obfuscation to bypass traditional security controls.
Researchers found the campaign impersonated trusted government contacts and used malicious Microsoft Word and PDF attachments referencing a real institutional initiative known as the “Safe Jail Project.” Behind the believable lure was a multi-stage infection chain designed to establish persistent remote access while blending into legitimate traffic.
What makes this operation especially notable is the use of Microsoft’s VS Code tunnel service as a hidden command-and-control channel, along with Discord webhooks for attacker notifications.
In this article, we examine how the malware campaign works, why it is dangerous, and what security teams should do to defend against similar attacks.
What Happened in This Malware Campaign?
Threat actors launched a targeted spear-phishing operation against employees linked to:
- Punjab Safe Cities Authority (PSCA)
- PPIC3
- Government-related personnel in Pakistan
The attackers impersonated an internal consultant and referenced a legitimate government project to build trust.
The phishing email delivered two separate malicious attachments:
CAD Reprot.docANPR Reprot.pdf
The misspelling of “Report” is a common tactic seen in malicious campaigns, helping attackers mimic rushed internal documents while avoiding duplicate file detections.
Both attachments connected to the same infrastructure hosted on BunnyCDN, a legitimate content delivery network.
Why This Attack Is Significant
This campaign highlights several modern attacker trends:
Trusted Brand Abuse
Using recognized institutions and projects increases click rates.
Legitimate Infrastructure Abuse
Hosting payloads on CDN platforms can reduce suspicion and bypass simplistic filtering.
Multi-Stage Payload Delivery
Two malicious attachments give attackers multiple opportunities to infect the victim.
Living Within Trusted Services
Using VS Code tunnels and Discord helps traffic blend into normal enterprise environments.
Custom Malware Tooling
No known malware family match was identified, suggesting a tailored threat toolset.
How the Infection Chain Works
The campaign used two separate but coordinated attack paths.
Path 1: Malicious Word Document
The first file, CAD Reprot.doc, appeared to be a normal government-related document.
Once opened, the file displayed blurred content requiring the victim to click Enable Content.
That action triggered a hidden macro function designed to silently download malware.
Hidden VBA Macro Technique: VBA Stomping
The document used VBA stomping, a technique where visible macro source code is removed while compiled p-code remains.
This is dangerous because many security tools inspect readable macro code and may miss the hidden executable logic.
Once enabled, the macro:
- Created a COM HTTP request
- Downloaded
code.exe - Saved it to the system temp folder
- Executed the payload silently
Path 2: Fake PDF Update Lure
The second file, ANPR Reprot.pdf, displayed a fake Adobe Reader error.
The user was instructed to click an “Update PDF Reader” button.
That triggered a download of an unsigned .NET ClickOnce manifest impersonating legitimate Adobe software.
This gave attackers a second independent compromise path.
Use of VS Code Tunnel as Command and Control
One of the most advanced elements of the campaign was the use of Microsoft’s VS Code tunnel service.
After execution, the malware routed attacker communications through Microsoft infrastructure, making traffic resemble routine developer or remote access activity.
This can create challenges for defenders because:
- Traffic may appear legitimate
- Trusted domains are less likely to be blocked
- Network detection becomes more complex
- Encrypted channels reduce visibility
Discord Webhooks for Silent Alerts
The attackers also used Discord webhooks to receive notifications when infections succeeded.
This offers several advantages:
- Low-cost attacker infrastructure
- Real-time alerts
- Minimal server management
- Often overlooked by network monitoring tools
This reflects a broader trend of threat actors abusing mainstream SaaS platforms.
Why Traditional Security Tools May Miss This
The campaign combined several evasion techniques.
Obfuscation
Hidden macros and compiled code reduce static detection.
Legitimate Services
BunnyCDN, Microsoft services, and Discord appear normal in many environments.
Multi-Stage Delivery
The initial file may look harmless until later stages execute.
Custom Malware
No known family signature means AV detection may be weaker.
User Interaction Required
Social engineering bypasses many technical controls.
Potential Business Risks
If successful, attacks like this can lead to:
Persistent Remote Access
Attackers maintain access to compromised systems.
Credential Theft
Sensitive government or enterprise credentials may be harvested.
Lateral Movement
Compromised users can become entry points into broader networks.
Espionage
Targeted campaigns may focus on surveillance and data collection.
Operational Disruption
Critical agencies or businesses may suffer outages or trust loss.
Detection and Mitigation Strategies
Security teams should adapt to campaigns using trusted platforms.
Email Security Controls
Block or sandbox suspicious attachments such as:
- Macro-enabled Office files
- Unexpected PDFs requesting updates
- Unsigned ClickOnce installers
Endpoint Monitoring
Detect:
- Office spawning command or scripting processes
- Downloads into temp directories
- Unexpected
code.exeexecution - VS Code tunnel processes on unmanaged endpoints
Network Monitoring
Review outbound traffic to:
- Unapproved CDN domains
- Discord webhook endpoints
- Unexpected Microsoft developer services
User Awareness Training
Teach users to avoid:
- Enabling macros
- Installing updates from documents
- Trusting urgent internal-looking attachments
Application Control
Restrict unsigned binaries and unmanaged installers.
Strategic Lessons for CISOs
This campaign reflects a key reality of modern cybersecurity:
Attackers increasingly prefer blending in rather than brute force.
They use:
- Trusted brands
- Real infrastructure
- Legitimate services
- Human deception
- Low-noise persistence
Defenders need layered security that combines:
- Threat detection
- User training
- Behavior analytics
- Zero trust access controls
- Incident response readiness
FAQs
What is staged payload delivery?
Staged payload delivery means malware is delivered in multiple steps rather than one obvious file, helping evade detection.
What is VBA stomping?
VBA stomping hides readable macro code while preserving compiled logic that still runs.
Why use VS Code tunnels?
Attackers may use trusted Microsoft services to disguise command-and-control traffic.
Is Discord commonly abused by attackers?
Yes. Discord webhooks and channels are sometimes used for alerts, exfiltration, or coordination.
Why are phishing emails still effective?
Because trust, urgency, and believable branding often bypass human caution.
How can organizations stop attacks like this?
Use layered controls: email filtering, EDR, network monitoring, application control, and user training.
Conclusion
This new malware campaign shows how far threat actors have evolved beyond simple phishing attachments. By combining obfuscation, staged payload delivery, trusted infrastructure abuse, and stealthy command channels, attackers created a highly targeted intrusion designed to avoid both users and security tools.
For organizations, the message is clear: signature-based defenses alone are no longer enough.
Modern defense requires behavioral detection, user awareness, and visibility across endpoints, email, and cloud traffic.
The most dangerous malware today often looks legitimate.
