A threat actor designated UNG0002 used a rarely documented filesystem evasion technique to deliver Cobalt Strike Beacon against Changzhou University in China, according to research published May 22, 2026 by Seqrite Labs. The attack concealed the malicious payload inside four layers of nested directories patterned after macOS metadata folder structures — a technique that causes Windows security scanning tools to deprioritize or entirely skip traversal of the path to the payload, leaving the malicious LNK file undetected by automated analysis.
macOS Folder Structures as a Windows Evasion Technique
Windows filesystems encounter macOS-style metadata directories legitimately when drives are shared between operating systems — on external storage, mounted network shares, or volumes transferred between macOS and Windows environments. Folders such as .Trash and .Spotlight-V100 are standard macOS artifacts that Windows treats as benign, and security tools trained on cross-platform file environments are built to recognize and skip these paths rather than flag them as anomalous. UNG0002 exploits that assumption by placing the malicious LNK file four directory layers deep inside a directory tree that mimics exactly this macOS metadata structure.
The result is that Windows security scanners traversing a ZIP attachment encounter the outer folder hierarchy, recognize the pattern as macOS filesystem metadata, and deprioritize or abort deeper traversal before reaching the actual payload. The LNK file — disguised as a PDF document — sits at a path that automated analysis never reaches.
The Fitness Assessment Lure and Changzhou University Targeting
The campaign was delivered via a spoofed institutional email originating from a 163.com address, with a ZIP attachment timed to align with the 2026 National Student Physical Fitness and Health Standards testing cycle. The fitness assessment lure is not generic social engineering — it requires detailed awareness of the Chinese academic calendar and the specific administrative context of national standardized testing at universities. This contextual precision is a marker of an actor with focused knowledge of the target environment, not an opportunistic campaign reusing general-purpose lures.
Changzhou University students and staff receiving the email during a period when fitness assessments are administratively active would have strong contextual reasons to open an attachment presented as fitness assessment documentation, significantly increasing the probability of successful delivery.
The DLL Sideloading Infection Chain
Once the victim executes the LNK file, the infection chain proceeds via DLL sideloading using a legitimate Bandizip archive utility executable. The legitimate binary is used to load a malicious DLL, which then executes Cobalt Strike Beacon entirely in memory. No malware binary is written to disk as a persistent file, limiting the forensic artifacts available to incident responders.
AMSI Bypass, ETW Evasion, and Anti-Debug Protections
The chain incorporates multiple layers of analysis resistance: debugger detection to identify sandboxed execution environments, encrypted string obfuscation to prevent static signature matching, and bypasses for both the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). AMSI bypass prevents Windows Defender and other security tools from scanning the in-memory PowerShell and .NET content that executes the payload. ETW bypass eliminates the telemetry stream that endpoint detection and response platforms use to reconstruct in-memory execution sequences after the fact.
Command-and-control traffic routes to IP address 60.205.186.162 hosted on Alibaba Cloud infrastructure.
UNG0002 and Operation Cobalt Whisper Attribution
Seqrite Labs attributes this campaign to UNG0002 with medium-high confidence, assessing that the actor shares strong tactical overlap with a previously documented campaign cluster designated Operation Cobalt Whisper. That prior cluster was directed against Chinese academic and government-affiliated institutions, and the shared toolset and targeting profile suggest a persistent actor returning to familiar ground rather than a new entrant.
The academic context of the targeting is directly relevant to the intelligence value of the access. Universities sit at the intersection of research, government-affiliated personnel, and scientific work with potential dual-use applications. Cobalt Strike Beacon, once established on a university network through a legitimate administrator’s workstation, provides the attacker with a persistent and flexible foothold from which lateral movement into research data systems, administrative databases, or connected institutional infrastructure becomes feasible.
The macOS folder evasion technique documented here is notable because it does not require any exploitation of a vulnerability in Windows or its security tools. It exploits a behavioral assumption — that macOS metadata folders on a Windows system are benign and can be skipped — that is correct in almost every real-world context except this one. Defenders relying on automated file analysis of email attachments that do not specifically test for this pattern would have no coverage against a campaign using it.
