Dragon Whistle Targets China Campuses Arabian Post

(MENAFN- The Arabian Post) clearfix">A targeted cyber-espionage campaign has struck China's higher education sector, using deceptive PDF-style shortcut files to install Cobalt Strike beacons on victim machines and open a path for remote control.

The operation, labelled Dragon Whistle, has focused on Changzhou University and related academic users by exploiting a familiar administrative pressure point: compulsory student fitness testing tied to the 2026 National Student Physical Fitness and Health Standards. The lure was designed to resemble a formal university notice, packaged in a ZIP archive and written with enough institutional detail to make the message appear routine to students, faculty and administrators.

The attack reflects a broader shift in cyber operations against universities, where espionage groups are moving away from generic phishing and towards highly contextual emails built around real timetables, staff procedures and compliance requirements. Academic networks remain attractive because they hold research data, identity records, cross-border partnerships and access to government-linked projects, while often operating with uneven security budgets across departments.

Dragon Whistle's first-stage attachment was a ZIP file named as a final version of a Changzhou University fitness testing notice. Inside the archive was a Windows LNK shortcut disguised as a PDF document. When opened, the file displayed a convincing decoy notice while quietly triggering a multi-stage infection chain in the background.

The method relied on a familiar but effective deception: a document icon and a double-extension filename created the appearance of a harmless PDF. The victim's attention was drawn to the decoy file, which contained realistic references to university procedures, QQ group coordination, medical documentation requirements and formal testing arrangements. Those details suggest substantial reconnaissance before the phishing emails were sent.

See also Vect widens ransomware risk across servers

Once activated, the LNK file launched a VBScript buried several folders deep inside the archive. The folder structure mimicked ordinary system or metadata directories, a tactic meant to reduce scrutiny by users and automated scanning tools. The script then opened the decoy document and launched Bandizip. exe, a legitimate archive utility, from a hidden directory.

That step moved the operation into a more evasive phase. The attackers placed a malicious DLL named ark. x64. dll alongside the legitimate Bandizip executable. When Bandizip ran, Windows loaded the attacker-controlled DLL from the local directory, allowing malicious code to execute under the cover of a trusted application. This DLL side-loading technique is widely used by advanced threat actors because it blends malicious activity with normal software behaviour.

The malware then performed checks to detect whether it was running in a research, sandbox or debugging environment. It looked for processes associated with network monitoring, malware analysis and reverse engineering, including tools commonly used by security teams. If those signs were present, the execution path could be altered to reduce exposure.

After passing those checks, the payload decrypted and loaded additional components directly into memory. This helped avoid leaving a conventional executable on disk, lowering the chance of detection by signature-based antivirus tools. The final payload was a Cobalt Strike Beacon, a post-exploitation implant often abused by espionage and criminal groups despite the framework's origins as a legitimate red-team tool.

A successful beacon gives attackers a channel for command-and-control communication, allowing them to issue commands, move through a network, gather data and prepare follow-on actions. The use of in-memory execution, anti-analysis checks and trusted binaries indicates a campaign built for persistence and quiet access rather than noisy disruption.

See also CloudZ exposes weak link in OTP security

Infrastructure linked to the campaign included command-and-control activity associated with Alibaba Cloud-hosted resources and a domain resolving to an IP address active during the campaign window. The use of China-based cloud and DNS infrastructure complicates attribution because legitimate domestic services can mask malicious traffic, although the operational pattern showed overlap with previous activity attributed to the threat cluster known as UNG0002.

UNG0002 has been associated with earlier campaigns using shortcut files, VBScript, DLL side-loading and post-exploitation tools such as Cobalt Strike and Metasploit. Previous targeting has covered sectors including academia, energy, civil aviation, software development, medical institutions, defence-linked organisations and research communities across parts of Asia. Dragon Whistle appears to extend that pattern into a more narrowly tailored campaign against a university population.

The education sector faces a particular challenge because administrative messages often require quick action from large numbers of users. Notices about examinations, graduation requirements, physical tests, scholarships and registration deadlines can generate high click rates, especially when recipients believe non-compliance may affect academic progress.

MENAFN26052026000152002308ID1111170464