Operation Dragon Weave: China-Aligned Cyber Espionage Targets Czech Republic and Taiwan
A newly uncovered cyber espionage campaign, Operation Dragon Weave, has been targeting officials and citizens in the Czech Republic and Taiwan, deploying the AdaptixC2 agent to infiltrate government, research, academic, technology, and financial sectors. Discovered by Seqrite Labs, the attack leverages spear-phishing emails with malicious ZIP attachments to initiate a multi-stage infection chain.
The campaign employs two distinct attack pathways. In one, victims open a disguised Windows Shortcut (LNK) file, triggering a PowerShell script that extracts and executes a malicious binary (RuntimeBroker_update.exe). In the other, the victim directly launches a Rust-based dropper from the archive. Both methods culminate in DLL side-loading to deploy RUSTCLOAK, a Rust-based loader that decrypts and executes the final payload AZUREVEIL, an AdaptixC2 agent.
AZUREVEIL uses Microsoft Azure Blob Storage for command-and-control (C2), adopting a "dead drop" model where attacker and victim communicate indirectly via shared storage containers. The malware supports 36 commands, enabling file operations, shell execution, process manipulation, port forwarding, and in-memory execution of Beacon Object Files (BOFs). Anti-analysis checks ensure the payload only activates outside sandboxed environments.
While attribution remains unconfirmed, the campaign is assessed as China-aligned.
Broader China-Linked Threat Activity
Recent reports highlight sustained cyber operations by China-nexus groups. Cato Networks intercepted an attempted intrusion against an Indian manufacturing firm, deploying TencShell, a Go-based implant derived from the open-source rshell framework. Though the initial access vector is unknown, the attack mirrors tactics historically linked to Chinese threat actors, including Tencent-themed API impersonation.
ESET’s latest findings (October 2025–March 2026) reveal persistent global activity, including:
- SteppeDriver: A previously unreported cluster targeting France, Mongolia, and South America with tools like ShadowPad and COOLCLIENT.
- PhiliKit: A passive backdoor linked to UNC5221, capable of executing shell commands, Python, and Perl scripts, likely deployed via the SPAWN malware suite.
- NegativeGlimmer: A group with suspected ties to TGR-STA-1030, which breached 70+ government and critical infrastructure entities across 37 countries. Recent attacks in Panama (December 2025) and South Korea (January 2026) used DLL side-loading to deliver AdaptixC2 or Cobalt Strike, with South Korean targeting aligning with China’s Made in China 2025 strategic priorities.
Source: https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html
INDIAN TECHNOLOGY COMPANY cybersecurity rating report: https://www.rankiteo.com/company/indian-technology-company
"id": "IND1780383435",
"linkid": "indian-technology-company",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Government',
'Research',
'Education',
'Technology',
'Finance'],
'location': ['Czech Republic', 'Taiwan'],
'type': ['Government',
'Research',
'Academic',
'Technology',
'Financial']}],
'attack_vector': ['Spear-phishing emails',
'Malicious ZIP attachments',
'Windows Shortcut (LNK) files',
'Rust-based dropper'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High (espionage-related)'},
'description': 'A newly uncovered cyber espionage campaign, *Operation Dragon '
'Weave*, has been targeting officials and citizens in the '
'Czech Republic and Taiwan, deploying the *AdaptixC2* agent to '
'infiltrate government, research, academic, technology, and '
'financial sectors. The attack leverages spear-phishing emails '
'with malicious ZIP attachments to initiate a multi-stage '
'infection chain. The campaign employs two distinct attack '
'pathways: one using a disguised Windows Shortcut (LNK) file '
'triggering a PowerShell script, and another using a '
'Rust-based dropper. Both methods culminate in DLL '
'side-loading to deploy *RUSTCLOAK*, a Rust-based loader that '
'decrypts and executes the final payload *AZUREVEIL*, an '
'AdaptixC2 agent. AZUREVEIL uses Microsoft Azure Blob Storage '
"for command-and-control (C2) with a 'dead drop' model. The "
'malware supports 36 commands, enabling file operations, shell '
'execution, process manipulation, port forwarding, and '
'in-memory execution of Beacon Object Files (BOFs).',
'impact': {'data_compromised': True,
'systems_affected': ['Government',
'Research',
'Academic',
'Technology',
'Financial']},
'investigation_status': 'Ongoing',
'motivation': 'Espionage',
'post_incident_analysis': {'root_causes': ['Spear-phishing',
'DLL side-loading',
'Rust-based malware']},
'references': [{'source': 'Seqrite Labs'},
{'source': 'Cato Networks'},
{'source': 'ESET'}],
'response': {'third_party_assistance': 'Seqrite Labs'},
'threat_actor': 'China-aligned (unconfirmed)',
'title': 'Operation Dragon Weave: China-Aligned Cyber Espionage Targets Czech '
'Republic and Taiwan',
'type': 'Cyber Espionage'}