Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2
Operation Dragon Weave is a medium-severity cyber-espionage campaign linked to China-based threat actors targeting officials and citizens in Czech Republic and Taiwan. The campaign uses spearphishing emails with malicious ZIP archives that deploy a multi-stage infection chain culminating in the AZUREVEIL Adaptix C2 agent. This malware uses Microsoft Azure Blob Storage as a command-and-control channel, evading traditional detection methods. The infection chain includes RUSTCLOAK, a Rust-based loader with triple-layer encryption. The final payload supports extensive post-exploitation capabilities such as in-memory Beacon Object File execution, file and process manipulation, network pivoting, and data exfiltration. Lure documents mimic official communications from regional institutions to enhance social engineering effectiveness.
AI Analysis
Technical Summary
This threat involves a sophisticated cyber-espionage operation attributed to China-linked actors targeting Czech Republic and Taiwan via spearphishing. Malicious ZIP files contain dual infection paths that deliver AZUREVEIL, an Adaptix C2 agent leveraging Microsoft Azure Blob Storage as a dead-drop C2 channel. The infection chain uses RUSTCLOAK, a Rust-based loader employing modified RC4, Base64, and SM4-CBC encryption layers. The final payload supports 36 post-exploitation commands including memory execution of Beacon Object Files, file system and process control, network pivoting, and data exfiltration. The campaign uses targeted social engineering with lure documents impersonating official entities from Taiwanese research institutions and the Czech Social Security Administration. No known exploits in the wild or patches are indicated.
Potential Impact
The campaign enables attackers to gain persistent access to targeted systems in Czech Republic and Taiwan, allowing extensive post-exploitation activities such as executing code in memory, manipulating files and processes, pivoting within networks, and exfiltrating sensitive data. The use of Azure Blob Storage as a C2 channel complicates detection and mitigation efforts. The social engineering tactics increase the likelihood of successful initial compromise. There are no known public exploits or patches related to this campaign, indicating it is a targeted espionage operation rather than a vulnerability with a fix.
Mitigation Recommendations
No official patch or remediation is available for this campaign as it is malware-based and relies on social engineering and cloud infrastructure abuse. Organizations in the targeted regions should focus on user awareness training to recognize spearphishing attempts, implement robust email filtering, and monitor for suspicious use of Azure Blob Storage and unusual network behaviors. Endpoint detection and response solutions should be tuned to detect behaviors associated with AZUREVEIL and RUSTCLOAK malware families. Since this is a targeted espionage campaign, no generic patch exists; mitigation relies on detection and prevention of initial compromise.
Affected Countries
Czechia, Taiwan
Indicators of Compromise
- hash: 4479c73e0c28a00debd8fae5963d5af0
- hash: 9378a8075f26ab0f2a3add6d97eb0533
- hash: 04f7126031fe11475e0b24ce5298ecd6e56ec363
- hash: 6f569139805e4ca507dc6fc2f1cb880beb3d7ac7
- hash: 02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e
- hash: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574
- hash: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192
- hash: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447
- hash: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4
- hash: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4
- hash: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1
- hash: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15
- hash: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0
- hash: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de
- hash: 8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9
- hash: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a
Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2
Description
Operation Dragon Weave is a medium-severity cyber-espionage campaign linked to China-based threat actors targeting officials and citizens in Czech Republic and Taiwan. The campaign uses spearphishing emails with malicious ZIP archives that deploy a multi-stage infection chain culminating in the AZUREVEIL Adaptix C2 agent. This malware uses Microsoft Azure Blob Storage as a command-and-control channel, evading traditional detection methods. The infection chain includes RUSTCLOAK, a Rust-based loader with triple-layer encryption. The final payload supports extensive post-exploitation capabilities such as in-memory Beacon Object File execution, file and process manipulation, network pivoting, and data exfiltration. Lure documents mimic official communications from regional institutions to enhance social engineering effectiveness.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a sophisticated cyber-espionage operation attributed to China-linked actors targeting Czech Republic and Taiwan via spearphishing. Malicious ZIP files contain dual infection paths that deliver AZUREVEIL, an Adaptix C2 agent leveraging Microsoft Azure Blob Storage as a dead-drop C2 channel. The infection chain uses RUSTCLOAK, a Rust-based loader employing modified RC4, Base64, and SM4-CBC encryption layers. The final payload supports 36 post-exploitation commands including memory execution of Beacon Object Files, file system and process control, network pivoting, and data exfiltration. The campaign uses targeted social engineering with lure documents impersonating official entities from Taiwanese research institutions and the Czech Social Security Administration. No known exploits in the wild or patches are indicated.
Potential Impact
The campaign enables attackers to gain persistent access to targeted systems in Czech Republic and Taiwan, allowing extensive post-exploitation activities such as executing code in memory, manipulating files and processes, pivoting within networks, and exfiltrating sensitive data. The use of Azure Blob Storage as a C2 channel complicates detection and mitigation efforts. The social engineering tactics increase the likelihood of successful initial compromise. There are no known public exploits or patches related to this campaign, indicating it is a targeted espionage operation rather than a vulnerability with a fix.
Mitigation Recommendations
No official patch or remediation is available for this campaign as it is malware-based and relies on social engineering and cloud infrastructure abuse. Organizations in the targeted regions should focus on user awareness training to recognize spearphishing attempts, implement robust email filtering, and monitor for suspicious use of Azure Blob Storage and unusual network behaviors. Endpoint detection and response solutions should be tuned to detect behaviors associated with AZUREVEIL and RUSTCLOAK malware families. Since this is a targeted espionage campaign, no generic patch exists; mitigation relies on detection and prevention of initial compromise.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"]
- Adversary
- null
- Pulse Id
- 6a19acf8d896b3c89d4bab6f
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash4479c73e0c28a00debd8fae5963d5af0 | — | |
hash9378a8075f26ab0f2a3add6d97eb0533 | — | |
hash04f7126031fe11475e0b24ce5298ecd6e56ec363 | — | |
hash6f569139805e4ca507dc6fc2f1cb880beb3d7ac7 | — | |
hash02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e | — | |
hash047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574 | — | |
hash080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192 | — | |
hash096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447 | — | |
hash1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4 | — | |
hash24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4 | — | |
hash5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1 | — | |
hash61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15 | — | |
hash783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 | — | |
hash823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de | — | |
hash8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9 | — | |
hasha4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a | — |
Threat ID: 6a1d5904e29bf47b50d33179
Added to database: 6/1/2026, 10:03:48 AM
Last enriched: 6/1/2026, 10:18:32 AM
Last updated: 6/1/2026, 3:29:28 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.