Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
Essential information
- Published
- 20/05/2026 13:07
- Modified
- 21/05/2026 16:49
- Tags
- 2026-05-20 anti-debugging chinese academia cobalt strike dll sideloading education sector targeting in-memory execution social engineering spear-phishing
- Related entities
- 8 observables, 1 intrusion sets (apt), 1 malware, 3 others
Description
A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.