joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery
Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN
IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
government-project-themed Word document (VBA macro dropper)
file
PDF with fake Adobe Reader lure
url
hxxps://<subdomain>.b-cdn[.]net/<path>
file
<second-stage payload>
domain
<campaign C2 endpoint>
Relations
directed infrastructure edgese1downloade3
confirmed
e2downloade3
confirmed
e3dropse4
likely
e4connecte5
likely
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
file | government-project-themed Word document (VBA macro dropper) |
Reporting states the email carried a Word document with a VBA macro dropper. Reporting states the lures used legitimate-sounding government infrastructure projects. |
e2 |
file | PDF with fake Adobe Reader lure |
Reporting states the email carried a PDF with a fake Adobe Reader lure as the second attachment. |
e3 |
url | hxxps://<subdomain>.b-cdn[.]net/<path> |
Reporting states both attachments delivered payloads from BunnyCDN-hosted malicious infrastructure. BunnyCDN distributions resolve under the b-cdn[.]net suffix; the exact subdomain/path was not published. |
e4 |
file | <second-stage payload> |
Reporting states the BunnyCDN infrastructure delivered the campaign payloads; the specific payload was not named in the recap. |
e5 |
domain | <campaign C2 endpoint> |
A C2 endpoint is implied by the payload delivery but no specific address was published in the recap. |
ATT&CK annotations
optional complementary mappingDual malicious attachments.
Victim opens DOC/PDF.
VBA macro dropper.
Payload pulled from BunnyCDN.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery",
"title": "Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN",
"description": "IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.",
"actor_id": "unknown",
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "confirmed",
"needs_review": true,
"x_source": {
"title": "Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More",
"publisher": "The Hacker News (citing Joe Security)",
"url": "https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html",
"published_at": "2026-05",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "secondary news recap of vendor analysis (Joe Security)"
},
"x_source_title": "Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN",
"x_source_url": "https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html",
"x_iocs": {
"targets": [
"Punjab Safe Cities Authority",
"PPIC3"
],
"target_geography": "Pakistan",
"lure_theme": "government infrastructure projects",
"attachment_1": "Word document with VBA macro dropper",
"attachment_2": "PDF with fake Adobe Reader lure",
"delivery_cdn": "BunnyCDN (*.b-cdn[.]net)"
},
"x_limitations": [
"The specific BunnyCDN subdomain/path, payload hashes, and C2 endpoint were not published in the recap; e3, e4 and e5 values are placeholders (the b-cdn[.]net suffix itself is reported).",
"VBA macro execution and the fake-Adobe-Reader social-engineering element are ATT&CK behaviours, not infrastructure.",
"Neither attachment is an archive/nested container, so no composition technique (T024/T025) applies.",
"Recap is a weekly digest; the underlying Joe Security analysis would carry the precise IOCs."
],
"entities": [
{
"id": "e1",
"type": "file",
"value": "government-project-themed Word document (VBA macro dropper)",
"observed_at": "2026-05-01T00:00:00Z",
"source": "The Hacker News weekly recap citing Joe Security",
"evidence": [
"Reporting states the email carried a Word document with a VBA macro dropper.",
"Reporting states the lures used legitimate-sounding government infrastructure projects."
],
"x_chain_stage": "macro_doc_entry"
},
{
"id": "e2",
"type": "file",
"value": "PDF with fake Adobe Reader lure",
"observed_at": "2026-05-01T00:00:00Z",
"source": "The Hacker News weekly recap citing Joe Security",
"evidence": [
"Reporting states the email carried a PDF with a fake Adobe Reader lure as the second attachment."
],
"x_chain_stage": "fake_adobe_pdf_entry"
},
{
"id": "e3",
"type": "url",
"value": "hxxps://<subdomain>.b-cdn[.]net/<path>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "The Hacker News weekly recap citing Joe Security",
"evidence": [
"Reporting states both attachments delivered payloads from BunnyCDN-hosted malicious infrastructure.",
"BunnyCDN distributions resolve under the b-cdn[.]net suffix; the exact subdomain/path was not published."
],
"x_defanged": true,
"x_placeholder": true,
"x_cdn": "BunnyCDN",
"x_chain_stage": "cdn_staging"
},
{
"id": "e4",
"type": "file",
"value": "<second-stage payload>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "The Hacker News weekly recap citing Joe Security",
"evidence": [
"Reporting states the BunnyCDN infrastructure delivered the campaign payloads; the specific payload was not named in the recap."
],
"x_placeholder": true,
"x_chain_stage": "payload"
},
{
"id": "e5",
"type": "domain",
"value": "<campaign C2 endpoint>",
"observed_at": "2026-05-01T00:00:00Z",
"source": "The Hacker News weekly recap citing Joe Security",
"evidence": [
"A C2 endpoint is implied by the payload delivery but no specific address was published in the recap."
],
"x_placeholder": true,
"x_chain_stage": "c2"
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "Macro DOC; VBA execution is ATT&CK."
},
{
"entity_id": "e2",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "n/a",
"review_notes": "Fake-Adobe PDF; second parallel entry artifact."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [
"IIM-T001"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "BunnyCDN abuse for payload hosting -> CDN Abuse."
},
{
"entity_id": "e4",
"role": "payload",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "Payload not named in recap."
},
{
"entity_id": "e5",
"role": "c2",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "n/a",
"review_notes": "C2 endpoint not published."
}
],
"relations": [
{
"from": "e1",
"to": "e3",
"type": "download",
"sequence_order": 1,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The macro DOC dropper pulls its payload from BunnyCDN-hosted infrastructure."
]
},
{
"from": "e2",
"to": "e3",
"type": "download",
"sequence_order": 1,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"The fake-Adobe PDF also leads to the same BunnyCDN-hosted infrastructure (parallel fan-in, shared sequence_order)."
]
},
{
"from": "e3",
"to": "e4",
"type": "drops",
"sequence_order": 2,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"BunnyCDN staging delivers the second-stage payload."
]
},
{
"from": "e4",
"to": "e5",
"type": "connect",
"sequence_order": 3,
"observed_at": "2026-05-01T00:00:00Z",
"confidence": "likely",
"x_evidence": [
"Payload connects to campaign C2."
]
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Dual malicious attachments."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "Victim opens DOC/PDF."
},
{
"technique_id": "T1059.005",
"name": "Command and Scripting Interpreter: Visual Basic",
"tactic": "Execution",
"comment": "VBA macro dropper."
},
{
"technique_id": "T1105",
"name": "Ingress Tool Transfer",
"tactic": "Command and Control",
"comment": "Payload pulled from BunnyCDN."
}
]
}