Operation Dragon Weave Targets Czech Republic and Taiwan with AdaptixC2 Malware
A China-aligned cyber espionage campaign dubbed Operation Dragon Weave is targeting government, research, and financial sectors in the Czech Republic and Taiwan using spear-phishing emails to deliver an AdaptixC2 agent.
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control.
"When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background," security researcher Priya Patel said. The attack chain uses two different pathways to launch the final-stage malware. One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document. This leads to the execution of a PowerShell script that extracts an executable from an intermediate DAT file and runs it. In the second attack chain, the victim directly launches a binary from the same archive, which functions as a self-contained Rust-based dropper.
Regardless of the path chosen, the executable loads a malicious DLL via DLL side-loading, resulting in the deployment of a Rust-based loader called RUSTCLOAK. The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2). The loader is designed to perform anti-analysis checks to proceed only if the malware determines that it's being run within a sandboxed environment.
"The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide," Seqrite Labs said. "Instead of using a traditional pull-based C2 model, AZUREVEIL follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data." AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions, including file operations, shell command execution, process enumeration, port forwarding, SOCKS proxy control, and in-memory execution of Beacon Object Files.
Although the activity has been attributed to a known threat actor or group, it's assessed to be China-aligned. The disclosure comes as Cato Networks reported detecting and blocking an attempted intrusion against an Indian manufacturing customer to deliver TencShell, a previously undocumented Go-based implant derived from the open-source rshell C2 framework. That attack is also believed to be the work of China-nexus threat actors.
In a report published last week, ESET said China-aligned threat actors have remained "highly active" globally from October 2025 through March 2026. This includes an unreported cluster dubbed SteppeDriver that has targeted entities in France, Mongolia, and South America using tools like ShadowPad and COOLCLIENT. Also identified is a new toolkit linked to UNC5221 dubbed PhiliKit that acts as a passive backdoor. A third China-affiliated group, NegativeGlimmer, has been found to target a governmental organization in Panama using DLL side-loading to deliver AdaptixC2 and later Cobalt Strike.
These campaigns underscore the persistent and evolving threat from China-aligned cyber espionage groups, which continue to target a wide range of sectors globally. Organizations in government, research, and technology are advised to remain vigilant against spear-phishing attacks and to implement robust email security measures.