Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

Seqrite Labs describes a targeted spear-phishing campaign (Operation Dragon Whistle) aimed at Changzhou University using a culturally tailored lure about mandatory fitness testing. The attack chain uses a deceptive LNK to launch a lightweight VBScript that opens a decoy PDF while silently executing Bandizip.exe from a hidden folder, DLL side-loading (ark.x64.dll) with anti-analysis and AMSI/ETW bypasses, and an in-memory Cobalt Strike Beacon for C2 to 60.205.186.162 (Alibaba Cloud). The report provides file hashes, C2 information, MITRE mappings, and attributes the campaign to UNG002 with medium-high confidence.