Cybersecurity researchers have disclosed details of a newly identified cyber espionage operation known as Operation Dragon Weave, a campaign believed to be aligned with China and aimed at officials and citizens in the Czech Republic and Taiwan. According to findings published by Seqrite Labs, the activity targeted sectors including government institutions, research organizations, academic entities, technology companies, and financial services providers. Researchers stated that the campaign relies on spear phishing emails carrying ZIP file attachments designed to trigger a sophisticated infection chain capable of deploying malware for remote control and data exfiltration. The operation highlights continued cyber espionage activity focused on strategic targets across multiple regions through stealth focused malware delivery mechanisms.
According to Seqrite Labs researcher Priya Patel, the ZIP archive distributed to victims contains multiple files designed to appear legitimate while concealing malicious functionality in the background. The attack chain operates through two separate execution methods to deploy the final malware payload. In the first scenario, victims unknowingly open a malicious Windows Shortcut file disguised as a PDF document, triggering a PowerShell script that extracts and launches an executable named “RuntimeBroker_update.exe” from an intermediary DAT file. In the second method, victims directly launch a binary stored in the archive, which functions as a Rust based dropper responsible for executing the same malicious payload. Regardless of the pathway used, the executable side loads a harmful DLL named “UnityPlayer.dll,” resulting in the deployment of a Rust based loader tracked as RUSTCLOAK. Researchers explained that the loader performs anti analysis techniques to determine whether it is operating in a sandboxed environment before continuing execution.
Once active, RUSTCLOAK decrypts and deploys a malware component identified as an AdaptixC2 agent called AZUREVEIL. Researchers attributed the name to its use of Microsoft Azure Blob Storage for command and control activity. Instead of communicating directly with attacker controlled infrastructure, the malware reportedly uses a dead drop communication approach in which both the infected system and attackers exchange information through a shared Azure storage container. Seqrite Labs researchers noted that because Azure Blob Storage is widely used by legitimate organizations, malicious activity can blend into normal traffic patterns, making detection significantly more difficult. AZUREVEIL reportedly supports 36 different commands that provide attackers with extensive control over compromised systems, including file manipulation, uploading and downloading content, shell command execution, process monitoring and termination, port forwarding, SOCKS proxy management, command server control, and in memory execution of Beacon Object Files.
The disclosure follows broader warnings about increased activity from China linked cyber groups targeting organizations worldwide. Cybersecurity firm Cato Networks recently reported blocking an intrusion attempt targeting the Indian branch of a global manufacturing company involving a previously undocumented Go based implant named TencShell, believed to be tied to China aligned actors due to historical malware overlaps and infrastructure patterns. Separately, ESET reported heightened global activity by China associated groups between October 2025 and March 2026, including operations involving a threat cluster named SteppeDriver targeting organizations in France, Mongolia, and South America using malware such as ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader. Researchers also identified new malware associated with UNC5221 called PhiliKit, as well as ongoing campaigns tied to NegativeGlimmer, a threat actor reportedly linked to attacks against government and critical infrastructure organizations across dozens of countries. In one observed case during December 2025, NegativeGlimmer targeted a government organization in Panama through spear phishing and DLL side loading to deploy AdaptixC2 while displaying decoy documents, later shifting to Cobalt Strike deployments in Cambodia and South Korea during January 2026.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
