New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection

Severity

Medium

Detail

A newly identified spear-phishing campaign is targeting government personnel in Pakistan, specifically employees linked to the Punjab Safe Cities Authority (PSCA) and PPIC3. The attackers impersonate a trusted internal consultant and reference official initiatives like the “Safe Jail Project” to build credibility.

This operation reflects a targeted and highly tailored approach, using custom-built malware and trusted infrastructure to evade detection and establish long-term access.

How?

The attack begins with a phishing email containing two malicious attachments: a Word document (“CAD Reprot.doc”) and a PDF (“ANPR Reprot.pdf”), both deliberately misspelled to mimic common human errors. These files are designed to trick users into interacting with them while quietly initiating the infection chain.

The Word document employs a stealth technique known as VBA stomping, where visible macro code is stripped away, leaving only compiled logic hidden from traditional antivirus scans. When the victim enables macros, a concealed function executes in the background, downloading a payload (“code.exe”) from infrastructure hosted on BunnyCDN. The payload is written to the system’s temporary directory and executed without raising immediate suspicion.

In parallel, the PDF file displays a fake error message prompting the user to install an update. Clicking the embedded button triggers the download of a malicious ClickOnce application disguised as an Adobe update. Both infection paths rely on the same backend infrastructure, increasing the likelihood of successful compromise.

Once executed, the malware establishes command-and-control communication using Visual Studio Code tunnel services. By routing traffic through legitimate Microsoft infrastructure, the attacker’s activity blends in with normal developer operations, making it difficult for network monitoring tools to detect. Additionally, Discord webhooks are used to notify the attacker in real time when a system is compromised, avoiding traditional C2 detection mechanisms.

The campaign’s multi-stage design, combined with obfuscation and trusted service abuse, allows it to bypass many conventional defenses. Sandbox analysis confirmed its malicious nature with high confidence, and the absence of known malware signatures indicates a custom-built toolkit tailored for this specific operation.

Conclusion

This campaign demonstrates how threat actors are increasingly combining social engineering, obfuscation techniques, and legitimate cloud services to evade detection and target high-value environments. Organizations should enforce strict macro policies, monitor unusual use of developer tools like VS Code tunnels, and flag unexpected outbound connections to services such as Discord.

User awareness remains critical, especially when dealing with unsolicited documents requesting macro enablement or software updates, as these remain a primary entry point for such targeted attacks.

Source

https://cybersecuritynews.com/new-malware-uses-obfuscation-and-staged-payload/