← feed

joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery

Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN

IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.

confirmed IIM v1.1 unknown needs review
Raw JSON
entities5
relations4
techniques1
published2026-05-30 21:33:26

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

government-project-themed Word document (VBA macro dropper)

2
entry

file

PDF with fake Adobe Reader lure

3
staging

url

hxxps://<subdomain>.b-cdn[.]net/<path>

IIM-T001
4
payload

file

<second-stage payload>

5
c2

domain

<campaign C2 endpoint>

Relations

directed infrastructure edges
e1downloade3 confirmed
e2downloade3 confirmed
e3dropse4 likely
e4connecte5 likely

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e1 file government-project-themed Word document (VBA macro dropper)
Reporting states the email carried a Word document with a VBA macro dropper.
Reporting states the lures used legitimate-sounding government infrastructure projects.
e2 file PDF with fake Adobe Reader lure
Reporting states the email carried a PDF with a fake Adobe Reader lure as the second attachment.
e3 url hxxps://<subdomain>.b-cdn[.]net/<path>
Reporting states both attachments delivered payloads from BunnyCDN-hosted malicious infrastructure.
BunnyCDN distributions resolve under the b-cdn[.]net suffix; the exact subdomain/path was not published.
e4 file <second-stage payload>
Reporting states the BunnyCDN infrastructure delivered the campaign payloads; the specific payload was not named in the recap.
e5 domain <campaign C2 endpoint>
A C2 endpoint is implied by the payload delivery but no specific address was published in the recap.

ATT&CK annotations

optional complementary mapping
T1566.001Phishing: Spearphishing Attachment

Dual malicious attachments.

T1204.002User Execution: Malicious File

Victim opens DOC/PDF.

T1059.005Command and Scripting Interpreter: Visual Basic

VBA macro dropper.

T1105Ingress Tool Transfer

Payload pulled from BunnyCDN.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "joesec.2026.punjab-safecities-dual-lure-bunnycdn-delivery",
  "title": "Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN",
  "description": "IIM chain for a targeted spear-phishing campaign reported via The Hacker News (Joe Security analysis) against the Punjab Safe Cities Authority and PPIC3 in Pakistan. The email used legitimate-sounding government infrastructure projects as lures and carried two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure, both delivering payloads from BunnyCDN-hosted malicious infrastructure. The two attachments are modeled as parallel entry artifacts that fan in to a shared BunnyCDN staging node.",
  "actor_id": "unknown",
  "observed_at": "2026-05-01T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": true,
  "x_source": {
    "title": "Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More",
    "publisher": "The Hacker News (citing Joe Security)",
    "url": "https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html",
    "published_at": "2026-05",
    "accessed_at": "2026-05-30T00:00:00Z",
    "source_type": "secondary news recap of vendor analysis (Joe Security)"
  },
  "x_source_title": "Spear-phishing of Pakistani government bodies using parallel macro-DOC and fake-Adobe-PDF lures pulling payloads from BunnyCDN",
  "x_source_url": "https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html",
  "x_iocs": {
    "targets": [
      "Punjab Safe Cities Authority",
      "PPIC3"
    ],
    "target_geography": "Pakistan",
    "lure_theme": "government infrastructure projects",
    "attachment_1": "Word document with VBA macro dropper",
    "attachment_2": "PDF with fake Adobe Reader lure",
    "delivery_cdn": "BunnyCDN (*.b-cdn[.]net)"
  },
  "x_limitations": [
    "The specific BunnyCDN subdomain/path, payload hashes, and C2 endpoint were not published in the recap; e3, e4 and e5 values are placeholders (the b-cdn[.]net suffix itself is reported).",
    "VBA macro execution and the fake-Adobe-Reader social-engineering element are ATT&CK behaviours, not infrastructure.",
    "Neither attachment is an archive/nested container, so no composition technique (T024/T025) applies.",
    "Recap is a weekly digest; the underlying Joe Security analysis would carry the precise IOCs."
  ],
  "entities": [
    {
      "id": "e1",
      "type": "file",
      "value": "government-project-themed Word document (VBA macro dropper)",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "The Hacker News weekly recap citing Joe Security",
      "evidence": [
        "Reporting states the email carried a Word document with a VBA macro dropper.",
        "Reporting states the lures used legitimate-sounding government infrastructure projects."
      ],
      "x_chain_stage": "macro_doc_entry"
    },
    {
      "id": "e2",
      "type": "file",
      "value": "PDF with fake Adobe Reader lure",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "The Hacker News weekly recap citing Joe Security",
      "evidence": [
        "Reporting states the email carried a PDF with a fake Adobe Reader lure as the second attachment."
      ],
      "x_chain_stage": "fake_adobe_pdf_entry"
    },
    {
      "id": "e3",
      "type": "url",
      "value": "hxxps://<subdomain>.b-cdn[.]net/<path>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "The Hacker News weekly recap citing Joe Security",
      "evidence": [
        "Reporting states both attachments delivered payloads from BunnyCDN-hosted malicious infrastructure.",
        "BunnyCDN distributions resolve under the b-cdn[.]net suffix; the exact subdomain/path was not published."
      ],
      "x_defanged": true,
      "x_placeholder": true,
      "x_cdn": "BunnyCDN",
      "x_chain_stage": "cdn_staging"
    },
    {
      "id": "e4",
      "type": "file",
      "value": "<second-stage payload>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "The Hacker News weekly recap citing Joe Security",
      "evidence": [
        "Reporting states the BunnyCDN infrastructure delivered the campaign payloads; the specific payload was not named in the recap."
      ],
      "x_placeholder": true,
      "x_chain_stage": "payload"
    },
    {
      "id": "e5",
      "type": "domain",
      "value": "<campaign C2 endpoint>",
      "observed_at": "2026-05-01T00:00:00Z",
      "source": "The Hacker News weekly recap citing Joe Security",
      "evidence": [
        "A C2 endpoint is implied by the payload delivery but no specific address was published in the recap."
      ],
      "x_placeholder": true,
      "x_chain_stage": "c2"
    }
  ],
  "chain": [
    {
      "entity_id": "e1",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "Macro DOC; VBA execution is ATT&CK."
    },
    {
      "entity_id": "e2",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "n/a",
      "review_notes": "Fake-Adobe PDF; second parallel entry artifact."
    },
    {
      "entity_id": "e3",
      "role": "staging",
      "techniques": [
        "IIM-T001"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "BunnyCDN abuse for payload hosting -> CDN Abuse."
    },
    {
      "entity_id": "e4",
      "role": "payload",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "Payload not named in recap."
    },
    {
      "entity_id": "e5",
      "role": "c2",
      "techniques": [],
      "role_confidence": "likely",
      "technique_confidence": "n/a",
      "review_notes": "C2 endpoint not published."
    }
  ],
  "relations": [
    {
      "from": "e1",
      "to": "e3",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The macro DOC dropper pulls its payload from BunnyCDN-hosted infrastructure."
      ]
    },
    {
      "from": "e2",
      "to": "e3",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The fake-Adobe PDF also leads to the same BunnyCDN-hosted infrastructure (parallel fan-in, shared sequence_order)."
      ]
    },
    {
      "from": "e3",
      "to": "e4",
      "type": "drops",
      "sequence_order": 2,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "BunnyCDN staging delivers the second-stage payload."
      ]
    },
    {
      "from": "e4",
      "to": "e5",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-01T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Payload connects to campaign C2."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1566.001",
      "name": "Phishing: Spearphishing Attachment",
      "tactic": "Initial Access",
      "comment": "Dual malicious attachments."
    },
    {
      "technique_id": "T1204.002",
      "name": "User Execution: Malicious File",
      "tactic": "Execution",
      "comment": "Victim opens DOC/PDF."
    },
    {
      "technique_id": "T1059.005",
      "name": "Command and Scripting Interpreter: Visual Basic",
      "tactic": "Execution",
      "comment": "VBA macro dropper."
    },
    {
      "technique_id": "T1105",
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "comment": "Payload pulled from BunnyCDN."
    }
  ]
}