Dragon Weave Campaign: China-Aligned APT Targets Czech Republic & Taiwan

Seqrite Labs has uncovered a sophisticated cyber espionage operation dubbed Operation Dragon Weave, targeting government officials, research institutions, and financial services in the Czech Republic and Taiwan. The campaign, attributed to a China-aligned threat actor, employs spear-phishing emails containing malicious ZIP attachments to initiate a multi-stage infection chain. Security researcher Priya Patel noted that the archives contain multiple files appearing legitimate but forming a structured attack sequence designed to execute payloads covertly in the background. Organizations concerned about similar threats can use our port scanner to identify exposed services that attackers might target.

The infection mechanism utilizes two distinct pathways. In the primary vector, recipients open a booby-trapped Windows Shortcut (LNK) file masquerading as a PDF document, which triggers a PowerShell script to extract and execute "RuntimeBroker_update.exe" from an intermediate DAT file. Alternatively, victims directly launch a binary that functions as a self-contained Rust-based dropper. Both pathways converge when the executable loads a malicious DLL ("UnityPlayer.dll") via DLL side-loading, deploying a Rust-based loader called RUSTCLOAK. To verify the security of your email infrastructure against such phishing attempts, consider using our SSL/TLS checker.

The final payload, an AdaptixC2 agent codenamed AZUREVEIL, leverages Microsoft Azure Blob Storage for command-and-control communications in a dead drop resolver pattern, where both attacker and victim exchange data through the same storage container. This approach allows the malware to blend with legitimate enterprise traffic while supporting 36 commands for comprehensive post-compromise operations, including file manipulation, shell execution, process management, port forwarding, and in-memory BOF execution. AZUREVEIL includes anti-analysis safeguards that prevent execution in sandboxed environments. Organizations can assess their exposure to similar credential-compromising campaigns using our email breach checker to determine if their domains have been impacted by known data leaks.