The attack was directed at employees of the Punjab Safe Cities Authority and PPIC3, using a spear-phishing email that impersonated an internal consultant and referred to the Safe Jail Project, a theme designed to appear relevant to public-security operations. The message was marked as high priority and included a read-receipt request, adding urgency while increasing the likelihood that recipients would open the attachments.
Two files formed the entry point of the campaign. One was a Word document named “CAD Reprot. doc”, while the other was a PDF titled “ANPR Reprot. pdf”. The spelling errors appeared deliberate, mimicking hurried internal communication rather than polished external correspondence. Both files were tied to payload delivery from infrastructure hosted on BunnyCDN, a legitimate content delivery network, allowing malicious traffic to blend more easily with ordinary web activity.
The Word document carried a malicious VBA macro that executed only after a user enabled content. Once activated, it downloaded a file named “code. exe” and placed it in the system’s temporary folder. The macro used VBA stomping, a technique in which readable macro source code is removed while compiled p-code remains intact. That method can weaken static analysis because security tools scanning visible macro text may find little or nothing suspicious.
The PDF served as a second infection route. It displayed a fake Adobe Reader error and urged the user to update the reader. Clicking the prompt triggered the download of a ClickOnce application disguised as Adobe software, which then fetched another executable. The use of two attachment types gave the attackers parallel routes into the same target environment and increased the chance of compromise if one path failed.
The most concerning element was the abuse of Microsoft’s Visual Studio Code tunnel service for command-and-control activity. By routing remote access through trusted Microsoft infrastructure, the malware sought to make attacker traffic appear similar to ordinary developer activity. This reflects a broader shift in cyber operations, where attackers increasingly rely on legitimate tools and services rather than overtly suspicious servers that can be blocked by reputation-based systems.
Discord webhooks were also used to notify the attackers when execution succeeded and to transmit information from compromised systems. Webhooks are widely used for automation and alerts in legitimate business workflows, but they have become attractive to attackers because they offer a simple channel for sending data without maintaining a more visible command server.
Security analysis gave the sample a maximum malicious rating with high confidence, while multiple detection engines supported the finding. The campaign did not map neatly to a known malware family, suggesting either a tailored toolset or a modified chain built for a narrow target set. The choice of government-linked recipients, references to public-security projects and abuse of credible services point to an operation designed for persistence and intelligence gathering rather than noisy disruption.
The campaign also illustrates why attachment-based phishing remains effective despite years of user-awareness training. Public-sector agencies often handle project documents, technical drawings, procurement files and operational reports, creating a work environment where Word documents and PDFs are routine. Attackers exploit that normality by using plausible file names, institutional themes and familiar software prompts.
For defenders, the case reinforces the need to move beyond signature-based detection. Blocking macros from email-borne Office files, restricting unsigned ClickOnce applications, monitoring unusual VS Code tunnel activity and inspecting outbound connections to Discord webhook endpoints can reduce exposure. Endpoint controls should also flag unexpected process chains involving Word, temporary-folder executables and developer tools launched outside approved workflows.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
