Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat actor tracked as UNG0002 launched a spear-phishing campaign against Chinese universities using a malicious ZIP archive disguised as an official fitness testing notice. Inside the archive was a double-extension LNK file that executed a VBScript, which then used Bandizip to sideload a malicious DLL. That DLL carried out anti-analysis checks, decrypted an in-memory SFX payload, and ultimately deployed a Cobalt Strike beacon for command-and-control activity. The operation combined living-off-the-land techniques with Alibaba Cloud-hosted infrastructure to support the intrusion.
Investigation
Seqrite Labs examined the phishing email, attachment, and full payload chain, revealing that explorer.exe was used to launch the VBS script and Bandizip.exe was abused to host the malicious DLL. The analysts documented extensive anti-debugging checks designed to evade analysis environments and mapped the complete execution flow from initial lure to final beacon deployment. They also identified the infrastructure tied to the campaign, including the IP address 60.205.186.162 and the domain lysander.asia, and linked the activity to earlier UNG0002 operations. Additional enrichment showed that the command-and-control server was hosted on Alibaba Cloud and used Feishu-related MX records, further supporting attribution to a China-based threat actor.
Mitigation
Not Specified
Response
Not Specified
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#e6e6e6 classDef process fill:#ffdd99 classDef malware fill:#ff9999 classDef network fill:#c2c2f0 %% Nodes u2013 Actions (Techniques) action_initial_access["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Email with malicious ZIP is sent to the target"] class action_initial_access action action_user_execution["<b>Action</b> – <b>T1204.002 User Execution</b><br/>User opens the LNK file thinking it is a PDF"] class action_user_execution action action_masquerading["<b>Action</b> – <b>T1036 Masquerading</b><br/>LNK is doubleu2011extension and displayed as a PDF"] class action_masquerading action action_permission_hijack["<b>Action</b> – <b>T1574.005 Executable Installer File Permissions Weakness</b><br/>Explorer.exe is used to launch a hidden VBS script"] class action_permission_hijack action action_vbscript["<b>Action</b> – <b>T1059.005 Visual Basic</b><br/>VBS opens the decoy PDF and runs Bandizip"] class action_vbscript action action_lol["<b>Action</b> – <b>T1218 Living off the Land</b><br/>Bandizip, a legitimate archiver, is abused"] class action_lol action action_hidden_files["<b>Action</b> – <b>T1564.001 Hidden Files and Directories</b><br/>Payload placed in deep, macOSu2011style folders"] class action_hidden_files action action_dll_side_loading["<b>Action</b> – <b>T1574.008 Path Interception by Search Order Hijacking</b> / <b>T1574.002 DLL Sideu2011Loading</b><br/>Bandizip loads malicious ark.x64.dll"] class action_dll_side_loading action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>DLL contains encrypted strings and encrypted SFX payload"] class action_obfuscation action action_anti_analysis["<b>Action</b> – <b>T1497 Virtualization/Sandbox Evasion</b> / <b>T1497.001 System Checks</b> / <b>T1497.002 User Activity Checks</b> / <b>T1622 Debugger Evasion</b><br/>DLL checks for debuggers, analysis tools and sandbox artifacts"] class action_anti_analysis action action_process_discovery["<b>Action</b> – <b>T1057 Process Discovery</b><br/>Enumerates running processes to locate analysis utilities"] class action_process_discovery action action_reflective_loading["<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Decrypted SFX payload is loaded directly into memory"] class action_reflective_loading action action_c2["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>Inu2011memory payload establishes HTTPS Cobaltu202fStrike beacon"] class action_c2 action %% Nodes u2013 Files / Artifacts file_zip["<b>File</b> – malicious.zip<br/>Contains the malicious LNK"] class file_zip file file_lnk["<b>File</b> – u5e38u5ddeu5927u5b662026u5e74u300au56fdu5bb6u5b66u751fu4f53u8d28u5065u5eb7u6807u51c6u300bu6d4bu8bd5u901au77e5.pdf.lnk"] class file_lnk file file_vbs["<b>File</b> – chromedo.vbs<br/>Visual Basic script executed by explorer"] class file_vbs file tool_bandizip["<b>Tool</b> – Bandizip.exe<br/>Legitimate archiver abused to load malicious DLL"] class tool_bandizip tool file_dll["<b>File</b> – ark.x64.dll<br/>Malicious DLL loaded via sideu2011loading"] class file_dll file malware_cobalt_strike["<b>Malware</b> – Cobaltu202fStrike beacon<br/>Provides remote access"] class malware_cobalt_strike malware %% Nodes u2013 Processes process_explorer["<b>Process</b> – explorer.exe"] class process_explorer process process_chromedo["<b>Process</b> – chromedo (VBS host)"] class process_chromedo process %% Nodes u2013 Network network_c2["<b>Network</b> – C2 server 60.205.186.162 (lysander.asia) over HTTPS"] class network_c2 network %% Connections u2013 Attack Flow file_zip –>|contains| file_lnk file_lnk –>|invokes| process_explorer process_explorer –>|launches| file_vbs file_vbs –>|runs| tool_bandizip tool_bandizip –>|loads| file_dll file_dll –>|enables| action_obfuscation file_dll –>|performs| action_anti_analysis file_dll –>|triggers| action_process_discovery file_dll –>|supports| action_reflective_loading action_reflective_loading –>|loads| malware_cobalt_strike malware_cobalt_strike –>|communicates with| network_c2 %% Linking actions to show sequence action_initial_access –>|leads to| action_user_execution action_user_execution –>|combined with| action_masquerading action_masquerading –>|enables| action_permission_hijack action_permission_hijack –>|triggers| action_vbscript action_vbscript –>|uses| action_lol action_lol –>|creates| action_hidden_files action_hidden_files –>|facilitates| action_dll_side_loading action_dll_side_loading –>|includes| action_obfuscation action_obfuscation –>|covers| action_anti_analysis action_anti_analysis –>|feeds into| action_process_discovery action_process_discovery –>|precedes| action_reflective_loading action_reflective_loading –>|enables| action_c2 action_c2 –>|establishes beacon with| malware_cobalt_strike %% Class assignments class action_initial_access action class action_user_execution action class action_masquerading action class action_permission_hijack action class action_vbscript action class action_lol action class action_hidden_files action class action_dll_side_loading action class action_obfuscation action class action_anti_analysis action class action_process_discovery action class action_reflective_loading action class action_c2 action class file_zip file class file_lnk file class file_vbs file class file_dll file class tool_bandizip tool class process_explorer process class process_chromedo process class malware_cobalt_strike malware class network_c2 network "
Attack Flow
Detections
Possible Malicious LNK File with Double Extension (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
IOCs (HashSha256) to detect: Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure
View
IOCs (SourceIP) to detect: Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure
View
IOCs (DestinationIP) to detect: Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure
View
Detection of C2 Communication via Known Malicious IP and Domain [Windows Network Connection]
View
UNG0002 Process Enumeration and Anti-Debugging Detection [Windows Sysmon]
View
Detection of LNK Abusing explorer.exe and Bandizip.exe for Malicious VBScript Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker delivers a malicious DLL (namedevil.dll) that is loaded by a benign‑looking host process (rundll32.exe). The DLL’sDllMainimmediately callsCreateToolhelp32Snapshotfollowed byProcess32Firstto enumerate all running processes. The enumeration loop checks each process name for the presence of a debugger ("dbg"substring) and exits if found – a classic debugger‑evasion technique (T1622). Because the DLL is loaded byrundll32.exe, the process creation event recorded by Sysmon contains theApiSetNamefields for the two native APIs, satisfying the detection rule. -
Regression Test Script:
# ------------------------------------------------- # Step 1: Create C source for the malicious DLL # ------------------------------------------------- $dllSource = @" #include <windows.h> #include <tlhelp32.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnap == INVALID_HANDLE_VALUE) return FALSE; PROCESSENTRY32 pe = {0}; pe.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hSnap, &pe)) { do { // Simple anti‑debug check – look for "dbg" in process name if (wcsstr(pe.szExeFile, L"dbg")) { // Detected debugger; exit loop break; } } while (Process32Next(hSnap, &pe)); } CloseHandle(hSnap); } return TRUE; } "@ $srcPath = "$env:Tempevil.c" $dllPath = "$env:Tempevil.dll" $srcPath | Out-File -Encoding ascii -FilePath $srcPath -Force Set-Content -Path $srcPath -Value $dllSource # ------------------------------------------------- # Step 2: Compile the DLL with Visual C++ (cl.exe) # ------------------------------------------------- # Ensure Visual Studio Build Tools are installed and the environment is set. # Example using the Developer Command Prompt: # cl.exe /LD /O2 /MD evil.c /link /OUT:evil.dll # For automation within PowerShell, invoke the MSVC build tools: $vcvars = "${env:ProgramFiles(x86)}Microsoft Visual Studio2019BuildToolsVCAuxiliaryBuildvcvars64.bat" & cmd /c "`"$vcvars`" && cl.exe /LD /O2 /MD `"$srcPath`" /link /OUT:`"$dllPath`"" ` | Out-Null if (-Not (Test-Path $dllPath)) { Write-Error "DLL compilation failed." exit 1 } # ------------------------------------------------- # Step 3: Execute the malicious DLL via rundll32.exe # ------------------------------------------------- $rundll = "$env:SystemRootSystem32rundll32.exe" & $rundll $dllPath,EntryPoint # ------------------------------------------------- # Step 4: Pause to allow Sysmon to log the event # ------------------------------------------------- Start-Sleep -Seconds 5The script compiles a minimal DLL that performs the targeted API calls and then loads it with
rundll32.exe. The short sleep ensures Sysmon has time to record the process‑creation event. -
Cleanup Commands:
# Remove compiled artifacts Remove-Item -Force -ErrorAction SilentlyContinue $env:Tempevil.c Remove-Item -Force -ErrorAction SilentlyContinue $env:Tempevil.dll # Optional: Restart Sysmon to clear any stuck handles (not required in most cases) Stop-Service -Name Sysmon -Force Start-Service -Name Sysmon