A novel multi-stage malware campaign employs spear-phishing emails with malicious Word and PDF attachments to target employees of Pakistani government agencies. The Word document uses VBA stomping to conceal a macro that downloads a payload, while the PDF triggers a fake error to download a malicious ClickOnce application; both ultimately deploy malware that establishes persistence via VS Code tunneling and exfiltrates data via Discord webhooks. The article does not specify a software vulnerability, CVSS score, affected versions, a fixed version, or a workaround, as the threat relies on social engineering and macro execution.
Malware , Threat Intelligence Novel multi-stage malware campaign stealthily targets Pakistan April 29, 2026 Share By SC Staff (Adobe Stock) More refined obfuscation tactics have been leveraged in a new multi-stage malware campaign targeted at the employees of Pakistan's Punjab Safe Cities Authority and Punjab Police Integrated Command, Control & Communication Centre, GBHackers News reports. Threat actors masquerading as an internal consultant have delivered high-priority spear-phishing emails with the "Safe Jail Project" title that included a Word document and a PDF file, both of which had misspelled file names, findings from a Joe Sandbox report showed. Included in the Word file is an illicit VBA macro that downloads the "code.exe" payload upon content activation while concealing malicious code via VBA stomping. Meanwhile, opening the PDF triggers a bogus Adobe Reader error message that includes an "Update PDF Reader" button, which when clicked, prompts the download of a nefarious ClickOnce app that retrieves the secondary "Adobe.exe" payload. Aside from executing "code.exe" to allow persistence via Microsoft Visual Studio Code tunneling, the malware also taps Discord webhooks to facilitate data compromise. SC Staff Related Malware Vidar infostealer evolves, uses image files for stealthy attacks SC Staff April 28, 2026 The latest Vidar campaign leverages social engineering, exploiting a recent Claude Code leak by setting up fake GitHub repositories. Threat Management GlassWorm attackers activate new ‘sleeper’ extensions on Open VSX Laura French April 28, 2026 A new cluster of 73 extensions impersonating legitimate projects has been tied to the GlassWorm campaign. Malware Tropic Trooper targets Chinese speakers with SumatraPDF trojan and VS Code tunnels SC Staff April 27, 2026 The campaign, attributed with high confidence to the persistent threat group Tropic Trooper, utilizes a custom AdaptixC2 Beacon listener with GitHub as its command-and-control platform, according to Zscaler ThreatLabz. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms DNS Spoofing Deauthentication Attack Dictionary Attack Domain Hijacking Drive-by Download DumpSec Hybrid Attack Information Warfare Morris Worm Password Cracking You can skip this ad in 5 seconds