Full Report
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments
Analysis Summary
# Threat Actor: Unnamed Chinese-linked Nexus (Operation Dragon Weave)
## Attribution & Identity
* **Identification:** While a specific group name (e.g., APT#) is not explicitly attributed by Seqrite Labs in this initial report, the campaign is codenamed **Operation Dragon Weave**.
* **Aliases:** None officially assigned yet; characterized as a cyber espionage group.
* **Associations:** The choice of targets (Taiwan and Czech Republic) and the use of the **AdaptixC2** framework align with historical TTPs associated with Chinese state-sponsored threat actors.
## Activity Summary
* **Campaign:** Operation Dragon Weave.
* **Timeline:** Recent/Ongoing (identified by Seqrite Labs).
* **Summary:** A sophisticated cyber espionage operation focusing on the collection of intelligence from high-profile targets in Europe and East Asia. The campaign utilizes spear-phishing to deploy the AdaptixC2 agent, an open-source command-and-control framework that allows for extensive post-exploitation capabilities.
## Tactics, Techniques & Procedures
* **Initial Access:** Distribution of spear-phishing emails containing malicious ZIP attachments.
* **Execution:** LNK files or malicious executables contained within the ZIP are used to initiate the infection chain.
* **Payload Delivery:** Deployment of the **AdaptixC2** agent (an alternative to Cobalt Strike).
* **MITRE ATT&CK IDs (Inferred from context):**
* T1566.001 - Phishing: Spear-phishing Attachment
* T1204.002 - User Execution: Malicious File
* T1071.001 - Application Layer Protocol: Web Protocols (C2 communication)
## Targeting
* **Sectors:** Government, Research, Academic, Technology, and Financial Services.
* **Geography:** Czech Republic and Taiwan.
* **Victims:** Government officials, citizens, and researchers identified in the aforementioned regions.
## Tools & Infrastructure
* **Malware:**
* **AdaptixC2 Agent:** A post-exploitation framework used for remote command execution and data exfiltration.
* **ZIP Attachments:** Used as a delivery vehicle for initial payloads.
* **Infrastructure:**
* C2 Framework: AdaptixC2.
* Associated Domains (Defanged): `hxxps[:]//adaptix[.]io` (software source), specialized C2 servers (not explicitly listed in the provided snippet).
## Implications
This campaign indicates a strategic interest by the threat actor in the diplomatic and technological ties between the Czech Republic and Taiwan. The targeting of research and academic sectors suggests a motive of Intellectual Property (IP) theft or information gathering on regional policy shifts. The use of a modern C2 framework like Adaptix shows an evolution in actor tooling to bypass traditional security detections designed for older frameworks like Cobalt Strike.
## Mitigations
* **Email Security:** Implement advanced email filtering to scan ZIP attachments for LNK files or suspicious scripts.
* **User Training:** Conduct spear-phishing awareness training focusing on the danger of opening unsolicited attachments from unknown sources.
* **Endpoint Monitoring:** Monitor for suspicious processes spawned by common productivity applications (e.g., `cmd.exe` or `powershell.exe` originating from a ZIP extraction tool).
* **Threat Hunting:** Audit networks for unusual outbound traffic to known C2 framework ports or associated IP ranges (Behavioral analysis for AdaptixC2 traffic).