China-Linked Operation Dragon Weave Targets Taiwan and Czech Republic with AZUREVEIL Adaptix C2 Agent
A sophisticated spearphishing campaign, dubbed Operation Dragon Weave, by a China-linked threat actor is targeting government officials and researchers in Taiwan and the Czech Republic with a novel Rust-based loader and an Azure Blob Storage-based C2 agent.
A newly identified spearphishing campaign, named Operation Dragon Weave, has been quietly targeting government officials, researchers, and technology workers in the Czech Republic and Taiwan. Threat researchers traced the operation to a China-linked threat actor, with the earliest known sample surfacing from Taiwan in March 2026. The campaign delivers a sophisticated multi-stage attack chain that ultimately deploys a powerful remote access tool designed to blend seamlessly into trusted cloud infrastructure.
The attack begins with a ZIP archive delivered via email, containing files carefully engineered to look like legitimate government communications. File names are written in Traditional Chinese, and one decoy document closely mimics an official appointment notice from the Czech Social Security Administration, complete with a scheduled date and a reference to the official government website. Analysts at Seqrite noted the use of two separate delivery paths contained within a single archive: either a malicious shortcut file or a Rust-compiled executable, both leading to the same final payload. The attack is structured so that each component quietly passes control to the next without raising any visible alerts on the victim's screen.
Once the infection chain completes, a Rust-based loader known as RUSTCLOAK takes over. It decrypts the final payload through a triple-layer process involving modified RC4, Base64 decoding, and AES-CBC encryption. RUSTCLOAK also includes a sandbox evasion technique, checking whether it is running inside a sandbox environment by comparing the machine name against a hardcoded list of over 100 known analysis system names, exiting silently if a match is found.
The final payload, AZUREVEIL, is a fully functional Adaptix command-and-control agent compiled as a 64-bit DLL. Rather than communicating with a traditional C2 server, it routes all activity through Microsoft Azure Blob Storage, making its traffic nearly indistinguishable from normal enterprise cloud usage. AZUREVEIL uses a dead-drop resolver approach, where the attacker and the infected system never communicate directly. Both sides interact with the same Azure storage container, where the attacker places commands as encrypted blobs and collects results from that shared location.
This Azure Blob Storage C2 infrastructure makes network-level detection significantly harder, as all traffic appears as routine cloud activity to security monitoring tools. The AZUREVEIL agent supports approximately 36 post-exploitation commands, covering file operations, shell execution, process listing, port forwarding, and running Beacon Object Files entirely in memory without touching disk. A hardcoded Shared Access Signature token found inside the configuration grants full read, write, and delete access, valid from March 2026 to March 2027, suggesting the attacker planned for extended access.
The infection runs through four stages, each silently handing control to the next. Stage one uses either a malicious LNK shortcut or a Rust-based dropper. Stage two involves a VBScript and PowerShell chain that decrypts and drops the RuntimeBroker_update.exe binary. Stage three activates RUSTCLOAK through DLL sideloading using a file called UnityPlayer.dll. Stage four launches AZUREVEIL directly in memory, leaving almost nothing behind on disk for investigators to find.
A notable operational slip was uncovered during analysis: a Rust build path containing the Windows username "dell2" was left embedded inside the RUSTCLOAK binary as plaintext, which could assist future attribution efforts. Organizations are advised to monitor outbound HTTPS traffic to blob.core.windows.net for unusual patterns, enforce strict execution policies for PowerShell and VBScript, and disable LNK file execution from within compressed archives. Deploying endpoint detection tools capable of identifying in-memory code execution is also strongly recommended, especially for government bodies and research institutions in geopolitically sensitive regions.