A new cyber espionage operation codenamed Operation Dragon Weave was observed targeting officials and citizens of the Czech Republic and Taiwan to deploy AdaptixC2 agents.
Seqrite Labs said targets for the campaign include government, research, academia, technology, and financial services sectors. This activity distributes spear-phishing emails containing ZIP attachments and triggers an infection chain that uses a Rust loader to drop a final payload for data exfiltration and remote control.
“Once unzipped, the archive contained multiple files that appeared legitimate, but were actually part of a structured infection chain designed to execute a malicious payload in the background,” said security researcher Priya Patel.
The attack chain uses two different paths to launch the final malware. One infection sequence begins when a recipient of a ZIP archive opens a malicious Windows Shortcut (LNK) file disguised as a PDF document. This runs a PowerShell script that extracts an executable file (‘RuntimeBroker_update.exe’) from the intermediate DAT file and runs it.
In the second attack chain, the victim launches the binary directly from the same archive. This binary acts as a self-contained Rust-based dropper that launches “RuntimeBroker_update.exe”. Regardless of the chosen path, the executable loads a malicious DLL (‘UnityPlayer.dll’) via DLL sideloading, which results in the deployment of a Rust-based loader called RUSTCLOAK.
The loader then decrypts and executes the main payload, the AdaptixC2 agent (codenamed AZUREVEIL because it uses Microsoft Azure Blob Storage for command and control (C2)). The loader is designed to perform analysis anti-checks and proceed only if the malware determines that it is running within a sandbox environment.
“This malware simply communicates with Azure Blob Storage, the same service used by thousands of legitimate businesses around the world,” Seqrite Labs said. “Instead of using the traditional pull-based C2 model, AZUREVEIL follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data.”
AZUREVEIL supports 36 commands that can perform a wide range of post-compromise actions on hosts, including file operations, file uploads and downloads, shell command execution, process enumeration and termination, port forwarding, SOCKS proxy control, C2 server management, and in-memory execution of Beacon Object Files (BOFs).
These features give an attacker complete control over a compromised endpoint. This activity is attributed to a known actor or group, but is assessed to be affiliated with China.
The disclosure comes after Cato Networks announced that it had detected and blocked an attempt to infiltrate the Indian branch of an anonymous global manufacturing customer to deliver TencShell, a previously undocumented Go-based implant derived from the open source rshell C2 framework.
This attack is believed to be the work of Chinese-aligned attackers based on past use of rshell, Tencent-themed API impersonation, and infrastructure patterns. The initial access vector used for the intrusion is currently unknown.
“If successful, TencShell could have provided attackers with a path to remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and additional tooling,” said researchers Idan Tarab, Dr. Guy Weisel, Zohar Buber, and Shani Kurtzberg.
ESET said in a report released last week that Chinese-aligned threat actors remained “highly active” around the world from October 2025 to March 2026. This includes an unreported cluster called SteppeDriver, which was first discovered in 2024 and has since targeted organizations in France, Mongolia, and South America using tools such as ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.
A new toolkit linked to UNC5221 called PhiliKit was also identified by a Slovak cybersecurity vendor that acts as a passive backdoor to execute shell commands, Python scripts, and Perl scripts. PhiliKit is suspected of being deployed as part of the SPAWN malware suite used by Chinese hacker groups in the past.
A third China-related threat group is NegativeGlimmer, which is believed to have some overlap with TGR-STA-1030. TGR-STA-1030 was documented earlier this year by Palo Alto Networks Unit 42 as having compromised at least 70 government and critical infrastructure organizations in 37 countries over the past year.
In at least one instance observed in December 2025, a threat actor targeted a government organization in Panama and was found to deliver a downloader using a DLL sideloading chain initiated via spear phishing, then deploying AdaptixC2 while simultaneously displaying a decoy document to the victim.
In post-January 2026 iterations, AdaptixC2 was replaced by Cobalt Strike, with infections also reported in Cambodia and South Korea.
“The latter Korean target is consistent with the Chinese government’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy,” said ESET’s Jiang-Ian Boutin.
Source link
