Operation DRAGONCLONE is a sophisticated cyber espionage campaign identified in early 2025, primarily targeting China Mobile Tietong, a subsidiary of China Mobile. The attackers employ advanced malware loaders such as VELETRIX and the VShell adversary simulation tool to establish footholds. The initial infection vector is a malicious ZIP archive containing executables and DLL files, which exploit DLL sideloading—a technique where a legitimate application loads a malicious DLL placed in its directory—to evade detection. The campaign uses IPFuscation, an anti-analysis technique designed to obfuscate IP addresses and hinder forensic analysis. The threat actors behind this campaign are linked to known China-nexus groups UNC5174 (Uteus) and Earth Lamia, which have a history of targeting telecom and critical infrastructure sectors. Additional tools in the attacker arsenal include SuperShell, Cobalt Strike (a commercial penetration testing tool often abused by threat actors), and the Asset Lighthouse System for network reconnaissance and asset discovery. The campaign demonstrates advanced tactics such as callback execution to maintain persistence and credential theft to escalate privileges and move laterally within networks. Although no active exploits have been reported in the wild for the associated CVEs (CVE-2024-1709 and CVE-2025-31324), the campaign’s use of widely deployed tools and techniques poses a latent risk to European telecom operators and organizations with supply chain links to Chinese infrastructure. The campaign’s medium severity rating may underestimate its potential impact given the sophistication and espionage focus. Targeted detection strategies include monitoring for VELETRIX and VShell behavioral indicators, enhanced detection of DLL sideloading activities, and network traffic analysis to identify callback patterns indicative of command and control communications.

For European organizations, especially those in the telecom sector or with supply chain dependencies involving Chinese technology providers, Operation DRAGONCLONE represents a significant espionage threat. The campaign’s ability to steal credentials and perform network reconnaissance could lead to unauthorized access to sensitive communications infrastructure, intellectual property, and customer data. This could result in long-term compromise of critical telecom networks, disruption of services, and exposure of confidential information. The use of advanced evasion techniques such as IPFuscation and DLL sideloading complicates detection and response efforts, increasing the risk of prolonged undetected intrusions. Furthermore, the campaign’s tools and tactics could be adapted to target European telecom operators directly or their suppliers, potentially affecting network integrity and availability. The economic and strategic importance of telecom infrastructure in countries like Germany, France, and the UK heightens the potential impact, as compromise could affect national security, critical communications, and economic stability. Additionally, the espionage focus could provide adversaries with intelligence advantages in geopolitical or commercial contexts.

European organizations should implement targeted detection capabilities for VELETRIX and VShell malware behaviors, including monitoring for unusual process creation and DLL sideloading patterns. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying obfuscated IP addresses and anti-analysis techniques like IPFuscation. Network security teams should enhance traffic analysis to detect callback execution patterns typical of command and control communications, focusing on anomalous outbound connections. Conduct regular threat hunting exercises centered on indicators of compromise related to China-nexus groups UNC5174 and Earth Lamia. Implement strict application whitelisting and code integrity policies to prevent unauthorized DLL loading. Strengthen credential protection mechanisms, including multi-factor authentication and regular credential audits, to mitigate credential theft risks. Collaborate with supply chain partners to assess exposure to Chinese telecom infrastructure and enforce security requirements. Maintain up-to-date threat intelligence feeds and share relevant findings with national cybersecurity centers and industry Information Sharing and Analysis Centers (ISACs). Finally, conduct employee training to recognize phishing attempts and malicious ZIP attachments, as initial infection vectors rely on user interaction.