Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
Operation Dragon Whistle is a spear-phishing campaign targeting Chinese academia, specifically Changzhou University. The threat actor UNG002 uses social engineering by impersonating official university communications about mandatory student fitness testing. The attack starts with a weaponized ZIP file containing a malicious LNK file disguised as a PDF, which triggers a VBScript to deploy a multi-stage infection chain. This chain includes DLL sideloading via Bandizip. exe, anti-debugging techniques, and culminates in an in-memory Cobalt Strike Beacon payload. The campaign uses Chinese cloud infrastructure on Alibaba Cloud for command and control and demonstrates advanced evasion tactics. No patch or official remediation guidance is provided, and no known exploits in the wild are reported. The campaign is assessed as medium severity based on the available information.
AI Analysis
Technical Summary
Operation Dragon Whistle is a sophisticated spear-phishing campaign attributed to the threat actor UNG002 targeting Changzhou University in China. It employs highly contextual social engineering by impersonating official university communications related to mandatory 2026 National Student Physical Fitness and Health Standards testing. The attack vector is a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Execution of the LNK triggers a VBScript that displays a decoy document while initiating a multi-stage infection chain involving DLL sideloading through Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload executed entirely in memory. The campaign leverages Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations. Indicators include multiple file hashes, an IP address, and a domain associated with the campaign. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The campaign targets Chinese academic institutions with a spear-phishing lure that could lead to system compromise via a multi-stage malware infection chain. Successful exploitation results in deployment of a Cobalt Strike Beacon payload in memory, enabling potential remote control and further malicious activity. The use of advanced evasion techniques such as DLL sideloading and anti-debugging increases the difficulty of detection and mitigation. However, there are no reports of widespread exploitation or confirmed breaches beyond the identified target.
Mitigation Recommendations
No official patch or remediation guidance is provided for this campaign. Organizations should be aware of the spear-phishing tactics used and educate users to recognize suspicious emails impersonating official university communications. Since the attack relies on execution of malicious LNK files within ZIP archives, blocking or scrutinizing such attachments and monitoring for execution of unusual processes like Bandizip.exe may help reduce risk. Endpoint detection solutions capable of identifying DLL sideloading and in-memory Cobalt Strike payloads can aid in detection. Given the lack of vendor advisories or patches, continuous monitoring and user awareness remain primary defenses.
Indicators of Compromise
- hash: 902533852b16b6ba322bf33de0e4215e
- hash: b5fa57a839f7d63ea8d5d00a9cd5a143777e7da9
- hash: 35a478f53f64bd412f374c65360fdba0518749537193669a8fe08d14bed65a2a
- hash: c937eca7c4c9b98df9257d986e666d25411aac5fa39d21f7018dd2e1663f0c76
- hash: cd99e83d241cfbb41bfcd0bc622a87d16268e710ca7d736d0c5f44774e0056e2
- hash: e7aff6a55a7866776272d9913dfbf9d7db33fc9de6aced22f2a195feebb0e85f
- hash: eb14d9e35a3bf0a933297f861bee0be9e6b9061fe4573a81ac92b71d55b6474f
- hash: ed7087e3afba4b320bdf04f32d3a6c567effd3d18a97682968e567000e70b335
- hash: fe11b199ada23d5ac25efc4215e67f4ff617ccb4d429eb64412072687367ca1c
- ip: 60.205.186.162
- domain: lysander.asia
Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
Description
Operation Dragon Whistle is a spear-phishing campaign targeting Chinese academia, specifically Changzhou University. The threat actor UNG002 uses social engineering by impersonating official university communications about mandatory student fitness testing. The attack starts with a weaponized ZIP file containing a malicious LNK file disguised as a PDF, which triggers a VBScript to deploy a multi-stage infection chain. This chain includes DLL sideloading via Bandizip. exe, anti-debugging techniques, and culminates in an in-memory Cobalt Strike Beacon payload. The campaign uses Chinese cloud infrastructure on Alibaba Cloud for command and control and demonstrates advanced evasion tactics. No patch or official remediation guidance is provided, and no known exploits in the wild are reported. The campaign is assessed as medium severity based on the available information.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation Dragon Whistle is a sophisticated spear-phishing campaign attributed to the threat actor UNG002 targeting Changzhou University in China. It employs highly contextual social engineering by impersonating official university communications related to mandatory 2026 National Student Physical Fitness and Health Standards testing. The attack vector is a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Execution of the LNK triggers a VBScript that displays a decoy document while initiating a multi-stage infection chain involving DLL sideloading through Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload executed entirely in memory. The campaign leverages Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations. Indicators include multiple file hashes, an IP address, and a domain associated with the campaign. There is no CVE or patch information available, and no known exploits in the wild have been reported.
Potential Impact
The campaign targets Chinese academic institutions with a spear-phishing lure that could lead to system compromise via a multi-stage malware infection chain. Successful exploitation results in deployment of a Cobalt Strike Beacon payload in memory, enabling potential remote control and further malicious activity. The use of advanced evasion techniques such as DLL sideloading and anti-debugging increases the difficulty of detection and mitigation. However, there are no reports of widespread exploitation or confirmed breaches beyond the identified target.
Mitigation Recommendations
No official patch or remediation guidance is provided for this campaign. Organizations should be aware of the spear-phishing tactics used and educate users to recognize suspicious emails impersonating official university communications. Since the attack relies on execution of malicious LNK files within ZIP archives, blocking or scrutinizing such attachments and monitoring for execution of unusual processes like Bandizip.exe may help reduce risk. Endpoint detection solutions capable of identifying DLL sideloading and in-memory Cobalt Strike payloads can aid in detection. Given the lack of vendor advisories or patches, continuous monitoring and user awareness remain primary defenses.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/"]
- Adversary
- UNG002
- Pulse Id
- 6a0db1f45208b8cf1b2b1571
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash902533852b16b6ba322bf33de0e4215e | — | |
hashb5fa57a839f7d63ea8d5d00a9cd5a143777e7da9 | — | |
hash35a478f53f64bd412f374c65360fdba0518749537193669a8fe08d14bed65a2a | — | |
hashc937eca7c4c9b98df9257d986e666d25411aac5fa39d21f7018dd2e1663f0c76 | — | |
hashcd99e83d241cfbb41bfcd0bc622a87d16268e710ca7d736d0c5f44774e0056e2 | — | |
hashe7aff6a55a7866776272d9913dfbf9d7db33fc9de6aced22f2a195feebb0e85f | — | |
hasheb14d9e35a3bf0a933297f861bee0be9e6b9061fe4573a81ac92b71d55b6474f | — | |
hashed7087e3afba4b320bdf04f32d3a6c567effd3d18a97682968e567000e70b335 | — | |
hashfe11b199ada23d5ac25efc4215e67f4ff617ccb4d429eb64412072687367ca1c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip60.205.186.162 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainlysander.asia | — |
Threat ID: 6a0f367de1370fbb481d272d
Added to database: 5/21/2026, 4:44:45 PM
Last enriched: 5/21/2026, 4:59:44 PM
Last updated: 5/21/2026, 7:01:52 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.