Full Report
Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 – Initial Delivery Path A: LNK-Based Execution Path B: Executable-Based Delivery Stage 2 – Script-Based Dropper Chain Stage 3 – RUSTCLOAK (Rust Loader) Stage 4 – AZUREVEIL (Adaptix C2 Agent) Infrastructure & Attribution Conclusion […] The post Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2 appeared first on Seqrite Labs.
Analysis Summary
# Threat Actor: Operation Dragon Weave (China-Linked)
## Attribution & Identity
* **Identification:** The campaign is attributed to a **China-linked threat actor**.
* **Aliases:** Currently tracked under the campaign name **"Operation Dragon Weave."**
* **Known Associations:** Analysis of the TTPs, including the use of specific side-loading techniques and targeting patterns, strongly suggests alignment with Chinese state-sponsored operational goals. The use of Traditional Chinese lures and infrastructure like Azure Blob Storage for C2 (a growing trend among East Asian actors) supports this attribution.
## Activity Summary
* **Operation Dragon Weave (2024-2026):** A sophisticated spearphishing campaign first observed in early 2026 (based on telemetry from March 2026). The campaign utilizes a multi-stage infection chain involving LNK files, malicious executables, and script-based droppers to eventually deploy a Rust-based loader and a specialized C2 agent.
## Tactics, Techniques & Procedures
* **Initial Delivery:** Spearphishing using ZIP archives containing LNK files or disguised executables.
* **Persistence & Execution:**
* **LNK-Based Execution:** Using shortcut files to trigger command-lines.
* **DLL Side-Loading:** Exploiting legitimate binaries (e.g., `BrowserViewUtility.exe`) to load malicious DLLs (`UnityPlayer.dll`).
* **Evasion:**
* Multi-layer encryption (XOR, etc.) of payload containers (`.dat` files).
* Use of script-based dropper chains (VBScript and PowerShell).
* Sandboxing and virtualization checks to prevent analysis.
* **MITRE ATT&CK IDs:**
* **T1566.001:** Spearphishing Attachment
* **T1204.002:** Malicious File – User Execution
* **T1059.001/.005:** PowerShell and Visual Basic Execution
* **T1574.002:** DLL Side-loading
* **T1055:** Process Injection
* **T1620:** Reflective Code Loading
* **T1102.001:** Web Service – Dead Drop Resolver (Azure Blob Storage)
## Targeting
* **Sectors:** Government & Public Sector, Research & Academia, Technology & Software, and Financial Services.
* **Geography:** Primarily the **Czech Republic** and **Taiwan**.
* **Victims:** Government officials and citizens; lures specifically mimic "Project Application Review Result Notifications."
## Tools & Infrastructure
* **Malware Families:**
* **RUSTCLOAK:** A specialized loader written in Rust designed to decrypt and execute final payloads.
* **AZUREVEIL:** A customized **Adaptix C2 Agent** used for remote control and data exfiltration.
* **Infrastructure:**
* **C2:** Abuse of legitimate cloud services for Command & Control.
* **Domains:** `note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net` (Azure Blob Storage).
* **Files:** `1.dat`, `Com.dat` (Encrypted containers); `UnityPlayer.dll` (Malicious loader).
## Implications
This campaign demonstrates a high level of planning and regional focus, specifically targeting nations with complex geopolitical relationships with China. The transition to Rust-based malware (RUSTCLOAK) and the abuse of Azure Cloud infrastructure (AZUREVEIL) highlights an evolution in the actor’s toolkit to maximize stealth and bypass traditional signature-based security products. The dual-targeting of the Czech Republic and Taiwan suggests an interest in monitoring political and technological developments in these regions.
## Mitigations
* **Email Security:** Implement robust attachment scanning and neutralize LNK or EXE files within archives at the mail gateway.
* **Endpoint Defense:** Monitor for unusual child processes spawned by common utilities and block unauthorized DLL side-loading through application whitelisting.
* **Cloud Monitoring:** Monitor network traffic for unusual outbound connections to cloud storage providers (like Azure Blob Storage) from non-administrative user profiles.
* **Script Control:** Restrict the execution of PowerShell and VBScript using Windows Defender Application Control (WDAC) or AppLocker.