Operation DRAGONCLONE is a sophisticated cyber espionage campaign targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile. The campaign employs a novel loader named VELETRIX alongside VShell, a known adversary simulation tool, to establish and maintain persistence within the victim environment. The infection vector begins with a malicious ZIP archive containing executable and DLL files, leveraging DLL sideloading techniques to evade detection and execute payloads. VELETRIX incorporates advanced anti-analysis methods and IPFuscation to obscure network communications, complicating detection and attribution efforts. The loader uses a callback mechanism to execute VShell, facilitating further post-exploitation activities. The campaign infrastructure includes tools such as SuperShell, Cobalt Strike, and the Asset Lighthouse System, indicating a high level of operational sophistication and resource availability. Attribution links this operation to China-nexus threat actors, specifically UNC5174 (Uteus) and Earth Lamia, groups known for targeting telecommunications and critical infrastructure sectors. The campaign has been active since March 2025, demonstrating ongoing efforts to compromise strategic telecom assets. The attack chain aligns with multiple MITRE ATT&CK techniques including user execution (T1204.002), DLL sideloading (T1574.001), credential dumping (T1003), and network reconnaissance (T1046), among others. Despite the presence of CVE-2024-1709 and CVE-2025-31324 references, no known exploits in the wild have been reported, suggesting the campaign relies on custom tooling and targeted delivery rather than widespread exploitation. Overall, Operation DRAGONCLONE exemplifies a targeted, state-sponsored espionage effort leveraging advanced malware and evasion techniques to infiltrate and persist within a major Chinese telecom entity.

For European organizations, the direct impact of Operation DRAGONCLONE may appear limited given the primary target is a Chinese telecom subsidiary. However, the campaign's use of advanced loaders, evasion techniques, and post-exploitation frameworks such as Cobalt Strike and VShell highlights tactics that could be repurposed against European telecom providers or critical infrastructure. European telecom operators, especially those with partnerships or data exchanges involving Chinese entities, could face supply chain risks or collateral exposure. Additionally, the campaign's sophisticated use of DLL sideloading and IPFuscation techniques underscores the evolving threat landscape that European organizations must contend with, particularly in sectors reliant on complex software ecosystems. The espionage nature of the campaign suggests potential risks to confidentiality of sensitive communications and intellectual property if similar tactics are employed against European targets. Furthermore, the presence of state-sponsored tools and infrastructure indicates a high level of persistence and stealth, complicating detection and remediation efforts. European organizations in the telecom sector, critical infrastructure, and government agencies should be aware of these advanced tactics as they may signal emerging threats or methodologies that could be adapted for regional targeting.

European organizations should implement advanced detection and prevention controls tailored to the tactics observed in Operation DRAGONCLONE. Specifically, monitoring for anomalous ZIP file deliveries containing executables and DLLs is critical, with sandboxing and static/dynamic analysis to identify malicious payloads. Deploy application whitelisting and strict DLL loading policies to mitigate DLL sideloading risks. Network monitoring should focus on detecting IPFuscation and unusual callback patterns indicative of loader activity. Endpoint detection and response (EDR) solutions must be tuned to identify behaviors associated with VELETRIX and VShell, including process injection, credential dumping, and use of Cobalt Strike beacons. Regular threat hunting exercises should incorporate indicators of compromise related to China-nexus groups UNC5174 and Earth Lamia. Given the use of adversary simulation tools, organizations should validate their detection capabilities against these frameworks. Supply chain security assessments are recommended for telecom providers with Chinese partnerships to identify potential indirect exposure. Finally, incident response plans should be updated to address advanced persistent threat (APT) scenarios involving stealthy loaders and multi-stage infection chains.