Full Report
Table of Contents: · Introduction: · Key Targets: · Infection Chain: · Initial Findings about Campaign: · Analysis of Decoys & Spear phishing Email: · Technical Analysis: · Stage1: Analysis of LNK File. · Stage2: Analysis of VBS. · Stage3: DLL Side Loading. · Infrastructural Artefacts & Threat actor Attributions. · Conclusion: Operation DRAGON WHISTLE? […] The post Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure appeared first on Seqrite Labs.
Analysis Summary
# Threat Actor: UNG002 (Operation Dragon Whistle)
## Attribution & Identity
- **Actor Name:** UNG002
- **Campaign Name:** Operation Dragon Whistle
- **Origin/Affiliation:** Likely Chinese-speaking or deeply familiar with Chinese administrative culture, given the high-fidelity social engineering and use of local infrastructure. However, the actor is currently tracked by its temporary designation, **UNG002**.
## Activity Summary
- **Current Campaign (2026):** Targeting Chinese academia through highly contextual spear-phishing lures.
- **Incident Overview:** The actor leveraged the "2026 National Student Physical Fitness and Health Standards" testing cycle at Changzhou University as a pressure mechanism to ensure victims opened malicious attachments.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails sent via NetEase (163[.]com) using highly specific institutional lures.
- **Execution:** Multi-stage infection chain starting with a double-extension LNK file masquerading as a PDF.
- **Defense Evasion:**
- Use of deeply nested folders (mimicking macOS metadata) to bypass automated scanners.
- Living-off-the-Land (LotL) by abusing `explorer.exe` to trigger payloads.
- DLL Side-Loading using a legitimate signed binary (`Bandizip.exe`).
- **Persistence:** Implementation of C2 beacons for long-term access.
**MITRE ATT&CK IDs:**
- **T1566.001:** Spearphishing Attachment
- **T1204.002:** User Execution: Malicious File
- **T1059.005:** Command and Scripting Interpreter: Visual Basic
- **T1574.002:** DLL Side-Loading
- **T1036:** Masquerading
- **T1027:** Obfuscated Files or Information
- **T1620:** Reflective Code Loading
- **T1071.001:** Application Layer Protocol: Web Protocols
## Targeting
- **Sectors:** Education (Universities), Government-affiliated academic bodies, Sports & Physical Education departments.
- **Geography:** Mainland China.
- **Victims:** Changzhou University (常州大学) students and faculty.
## Tools & Infrastructure
- **Malware Families:** Cobalt Strike (Beacon), VBScript loaders, custom LNK triggers.
- **Legitimate Apps (Abused):** Bandizip (used for DLL side-loading), Explorer.exe.
- **Social Engineering Infrastructure:** NetEase free mail service (163[.]com).
- **C2/IPs:**
- `60[.]205[.]186[.]162`
- **Email Identifiers:**
- `18115820617@163[.]com` (Sender: “牛牛 / Cow Cat”)
## Implications
UNG002 demonstrates a high degree of operational maturity and reconnaissance capability. By leveraging specific institutional mandates (fitness testing) and accurate internal details (QQ groups, specific staff names), they effectively circumvent standard user awareness training. This represents a trend of "niche" targeting where actors focus on high-compliance institutional windows to guarantee infection.
## Mitigations
- **Email Security:** Implement advanced scanning that can unpack deeply nested archives and inspect LNK file destination paths.
- **Host-Based Defense:** Monitor for unusual child processes of `explorer.exe` and block unsigned or unexpected DLLs being loaded by common tools like `Bandizip.exe` (DLL Side-loading protection).
- **User Awareness:** Educate students and staff to verify the source of unsolicited attachments, even if they appear to follow official university formatting and use valid contact information.
- **Network Monitoring:** Block known C2 IPs and alert on DNS queries to suspicious 163[.]com senders or non-standard administrative mail patterns.