Overview A newly uncovered cyber‑espionage campaign, Operation Dragon Weave, has been observed targeting government, research, academic, technology, and financial sectors in the Czech Republic and Taiwan. According to Seqrite Labs, the operation delivers a Rust‑based AdaptixC2 agent through sophisticated spear‑phishing attacks, marking a significant escalation in China‑aligned threat activity across multiple regions.
Attack Chain Breakdown
The campaign employs ZIP‑based spear‑phishing attachments that initiate a multi‑stage infection chain:
| Stage | Technique | Payload / Objective |
|---|---|---|
| Initial Access | Spear‑phishing emails with ZIP archives | Disguised documents trigger infection chain |
| Execution Path 1 | Malicious LNK file masquerading as PDF | Executes PowerShell script extracting RuntimeBroker_update.exe |
| Execution Path 2 | Rust‑based binary launched directly | Drops and runs RuntimeBroker_update.exe |
| Persistence & Loading | DLL side‑loading via UnityPlayer.dll | Deploys Rust‑based loader RUSTCLOAK |
| Payload Delivery | Decrypts and executes AdaptixC2 agent AZUREVEIL | Enables remote control and data exfiltration |
The AZUREVEIL agent communicates through Microsoft Azure Blob Storage, using a dead‑drop C2 model where attacker and victim never interact directly — both exchange data via the same Azure container.
Technical Insights
The AdaptixC2 agent supports 36 commands, enabling full post‑compromise control:
- File operations (upload, download, delete)
- Shell command execution
- Process management (enumeration, termination)
- Network control (port forwarding, SOCKS proxy)
- Beacon Object File execution for stealthy in‑memory operations
This architecture grants attackers complete endpoint control while blending into legitimate Azure traffic.
Broader China‑Aligned Activity
Operation Dragon Weave is part of a wider surge in China‑nexus operations observed between late 2025 and mid‑2026:
| Threat Group | Region Targeted | Key Tools / Malware |
|---|---|---|
| SteppeDriver | France, Mongolia, South America | ShadowPad, COOLCLIENT, CurlyDoor |
| UNC5221 / PhiliKit | Global | SPAWN suite, Python & Perl backdoors |
| NegativeGlimmer | Panama, Cambodia, South Korea | AdaptixC2, Cobalt Strike |
These operations demonstrate strategic targeting aligned with Beijing’s Made in China 2025 industrial policy, focusing on critical infrastructure and advanced technology sectors.
Defensive Recommendations
Organizations should strengthen defenses against Rust‑based loaders and cloud‑hosted C2 channels by:
- Implementing behavioral detection for PowerShell and Rust binaries.
- Monitoring Azure Blob Storage traffic for anomalous patterns.
- Blocking spear‑phishing ZIP attachments at email gateways.
- Deploying sandbox evasion countermeasures to detect anti‑analysis routines.
- Training personnel to identify disguised LNK files and fake PDFs.
Expert in the Cloud Insight
Operation Dragon Weave underscores how state‑aligned actors are evolving toward Rust‑based, cloud‑integrated malware ecosystems. By leveraging legitimate services like Azure Blob Storage, attackers blur the line between normal enterprise traffic and covert command‑and‑control.
For defenders, the takeaway is clear: visibility into cloud storage interactions and cross‑platform telemetry are now essential components of modern threat detection.
Leave a Reply