Operation DRAGONCLONE represents a sophisticated cyber espionage campaign primarily targeting China Mobile Tietong, a subsidiary of China Mobile, and potentially extending to European telecom organizations with supply chain or infrastructure ties to Chinese telecom entities. The attack vector begins with a malicious ZIP archive containing executables and DLLs designed to exploit DLL sideloading vulnerabilities, allowing malicious code to run under the guise of legitimate applications. The campaign employs advanced anti-analysis techniques such as IPFuscation, which obfuscates IP addresses to evade network detection and analysis tools. The malware loaders VELETRIX and the VShell adversary simulation tool are central to the attack, facilitating payload delivery and execution. The threat actors behind this campaign are linked to China-nexus groups UNC5174 (also known as Uteus) and Earth Lamia, known for their targeted espionage operations. Additional tools used include SuperShell, Cobalt Strike (a well-known post-exploitation framework), and the Asset Lighthouse System, which likely aids in network reconnaissance and lateral movement. The campaign has been active since March 2025 and focuses on stealing credentials, conducting network reconnaissance to map and understand the target environment, and executing callbacks to command and control servers for further instructions. Detection is challenging due to the use of DLL sideloading and IPFuscation, requiring defenders to monitor for anomalous DLL loading behaviors, unusual network callback patterns, and the presence of VELETRIX and VShell-related activities. The campaign’s targeting of telecom infrastructure, a critical sector for national security and economic stability, combined with its advanced evasion techniques, underscores its high threat level. European countries with significant telecom infrastructure and economic connections to China, such as Germany, France, and the UK, are considered at elevated risk.

The potential impact of Operation DRAGONCLONE is significant for organizations involved in telecom infrastructure, particularly those linked to China Mobile Tietong or with supply chain connections to Chinese telecom entities. Successful exploitation can lead to credential theft, enabling attackers to gain persistent access and escalate privileges within networks. Network reconnaissance activities can expose sensitive internal architecture and operational details, facilitating further attacks or espionage. The use of callback execution allows attackers to maintain command and control, potentially leading to data exfiltration, disruption of services, or deployment of additional malware. For telecom providers, this could mean compromised customer data, degraded network integrity, and loss of trust. European telecom organizations with economic ties to China may face secondary risks, including supply chain compromises and espionage targeting intellectual property or strategic communications. The campaign’s advanced evasion techniques complicate detection and response, increasing the likelihood of prolonged undetected presence and greater damage. National security implications are also notable given the critical nature of telecom infrastructure in communications and data transmission.

To mitigate Operation DRAGONCLONE, organizations should implement targeted detection and prevention strategies beyond generic controls. Specifically: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of identifying DLL sideloading behaviors and anomalous process executions associated with VELETRIX and VShell loaders. 2) Monitor network traffic for unusual callback patterns, especially those involving obfuscated IP addresses or connections to known command and control infrastructure linked to China-nexus groups. 3) Employ threat hunting focused on indicators of compromise related to UNC5174 and Earth Lamia toolsets, including SuperShell and Cobalt Strike artifacts. 4) Harden email and file-sharing gateways to detect and block malicious ZIP files containing executables and DLLs, using sandboxing and behavioral analysis. 5) Enforce strict credential hygiene, including multi-factor authentication and regular credential audits, to limit the impact of credential theft. 6) Conduct regular threat intelligence updates and share information with industry peers and government agencies to stay informed about evolving tactics. 7) Implement network segmentation to limit lateral movement and restrict access to critical telecom infrastructure components. 8) Train security teams on recognizing advanced evasion techniques such as IPFuscation and DLL sideloading to improve incident response readiness.