Trust was the opening move in a campaign that blended social engineering with developer-grade misdirection, as attackers impersonated an internal consultant, invoked the real “Safe Jail Project,” and quietly steered staff at the Punjab Safe Cities Authority and PPIC3 toward what looked like routine paperwork but concealed a pair of booby-trapped files. The email carried “CAD Reprot.doc” and “ANPR Reprot.pdf,” each misspelled to mimic casual internal naming and each wired to a separate infection chain that converged on the same BunnyCDN-hosted payloads. By splitting the path but unifying the destination, the operators drove up success odds while keeping network indicators sparse and familiar. Staged delivery, macro obfuscation, and legitimate cloud services did the rest, making hostile traffic look like everyday collaboration and leaving defenders to sift signals that felt indistinguishable from normal enterprise activity.
The Setup: Social Engineering and Dual Delivery
The lure hinged on proximity and plausibility: a sender framed as an internal consultant referencing the Safe Jail Project, a real initiative that lends instant credibility among public safety staff accustomed to process-heavy correspondence. Misspellings like “Reprot” functioned as deliberate noise—common enough in everyday files to avoid suspicion, yet unique enough to bypass simple hash or name-based filters. The dual-attachment tactic was not redundancy for its own sake; it created parallel routes to the same infrastructure so that if one vector stumbled on policy controls or user friction, the other could still land. Both files ultimately drew from BunnyCDN, allowing outbound traffic to blend with ordinary content delivery patterns and sidestep crude allowlists. This approach naturally leads to a broader theme: hide in plain sight to compress detection dwell time.
The Word document leaned on VBA stomping, stripping readable macro source and leaving only compiled p‑code that thwarts many static scanners and casual analyst triage. After the predictable “Enable Content” nudge, a concealed routine spun up a COM-based HTTP object, fetched a payload named code.exe, and wrote it into the temp directory with ADODB.Stream before execution. In contrast, the PDF never needed embedded exploits; it presented a bogus Adobe Reader error that funneled the user toward an unsigned .NET ClickOnce installer pretending to be a required viewer update. Different mechanisms, same outcome: execution of an attacker-controlled binary from a cloud edge familiar to corporate networks. Building on this foundation, the operators ensured either click path could establish a foothold, turning a single spear-phish into two independent compromises with one C2 backbone.
Covert Control: VS Code Tunnels, Evidence, and Defensive Plays
Once code.exe ran, command-and-control traffic pivoted through Microsoft’s Visual Studio Code tunnel service, a legitimate feature that developers use for remote port forwarding and secure access to local environments. By repurposing that channel, the actor made callbacks resemble everyday dev workflows—workstation beacons looked like tunnel handshakes, and endpoint processes mirrored normal IDE adjuncts. Instant compromise alerts traveled via Discord webhooks, a low-friction signal path that rides standard HTTPS and blends into collaboration noise. Analysts assessed persistent remote access as the engineered goal, reinforced by the tunnel’s bidirectional flexibility and the convenience of webhook-based telemetry. This was not commodity smash-and-grab; it was patient access with a cover story: routine code sync, a harmless CDN request, and a dev tunnel that few enterprises watch outside engineering teams.
Attribution signals pointed to bespoke tooling rather than a recycled family. JoeReverser and Joe Sandbox correlated the full chain (Web IDs 1903908, 1903907, 1903906) and flagged the Word lure with a 100/100 malicious score across sandbox runs. Suricata rules, Sigma detections, and YARA hits independently stacked confidence, while ReversingLabs at 52% and VirusTotal at 56% indicated consistent cross-vendor suspicion even before deep hunts completed. The absence of a Malpedia match suggested a custom kit tailored to Pakistani government environments. For defenders, the pressure points were clear and actionable: restrict or allow-list CDN destinations where feasible, baseline VS Code tunnel activity on endpoints that should not host developer stacks, and flag outbound Discord webhooks originating from non-browser processes. In practice, those measures applied friction precisely where the operation depended on trust in familiar platforms, reducing attacker room to maneuver without blanket blocks that disrupt daily work.