The campaign, tracked as Operation Dragon Weave, begins with a malicious ZIP archive carrying files designed to appear as official documents. Once opened, the archive can trigger a multi-stage infection chain that uses deceptive file names, script execution, DLL sideloading and a Rust-based loader before placing AZUREVEIL on the compromised system. The final payload gives attackers remote access, file-handling capabilities and routes communications through Microsoft Azure Blob Storage rather than a conventional command server.
The targeting pattern points to a focused espionage effort rather than broad criminal spam. The sectors identified in the campaign include government and public-sector bodies, research and academia, technology and software organisations, and financial services. The geographic focus on the Czech Republic and Taiwan is reinforced by region-specific lures, including Traditional Chinese file names and a Czech-language decoy document styled as an appointment notice from the Czech Social Security Administration.
The initial archive includes a shortcut file named to resemble a PDF notification and an executable disguised as a legitimate document. The Traditional Chinese filename translates as “Project Application Review Result Notification”, a formulation consistent with administrative correspondence. Security analysis found that the file set also contained a data folder with encrypted payload containers, scripts, a malicious UnityPlayer. dll used for sideloading and decoy PDF material intended to distract the victim while the malware chain runs in the background.
Two separate execution routes appear to have been prepared. One path starts when a victim clicks the Windows shortcut file, using the double extension “. pdf. lnk” to make the item look like a standard document. Another path relies on the victim launching the executable directly. Both routes converge on RuntimeBroker_update. exe, after which Windows loads the attacker-controlled UnityPlayer. dll placed in the same directory.
That DLL, dubbed RUSTCLOAK, is written in Rust and performs the next stage of the attack. The loader checks the computer name against a list of more than 100 known sandbox and analyst machine names, allowing it to stop execution if it detects a controlled analysis environment. Such anti-analysis checks are designed to limit exposure to automated malware sandboxes and delay defensive detection.
RUSTCLOAK then decrypts the embedded payload through several layers, including a custom RC4 process, Base64 decoding and SM4-CBC decryption. After decryption, it allocates memory, marks that memory as executable and runs the payload through Windows fibres rather than creating a new thread, a technique that may help reduce the visibility of the malware to endpoint monitoring tools. Analysts extracted an in-memory executable of about 103 KB, which was identified as AZUREVEIL.
AZUREVEIL’s most notable feature is its use of Azure Blob Storage for command-and-control. The agent communicates over HTTPS on port 443 with an Azure storage endpoint, allowing traffic to resemble normal enterprise cloud activity. That design removes the need for an obvious attacker-owned command server and complicates network-level detection, particularly in organisations that already rely heavily on Microsoft cloud infrastructure.
The malware can list directories and logical drives, read and move files, rename or delete data, upload stolen files to Azure Blob Storage and retrieve additional files from the command channel. It can also execute shell commands, list running processes and named pipes, configure or terminate processes, and support network and pivoting functions. These capabilities make it suitable for espionage operations where persistence, quiet data collection and flexible post-compromise activity are priorities.
The campaign also shows signs of careful operational planning. A hardcoded Shared Access Signature token found in the malware infrastructure was valid from 19 March 2026 to 19 March 2027, giving the operators a long window for interaction with the storage container. The token permissions allowed read, write, delete and upload operations, suggesting the cloud account was central to the attacker’s workflow rather than an incidental staging point.
Attribution remains cautious. The targeting, tooling and tradecraft have been assessed as linked with a China-based threat actor at moderate confidence, but no specific known group has been named. That restraint reflects the mixed nature of the techniques: some elements overlap with established espionage patterns, while other components, including the distinct Azure Blob Storage dead-drop mechanism and Adaptix-based payload structure, have not been widely documented in public reporting on China-linked activity.
The use of AdaptixC2 also fits a wider trend in which offensive security frameworks and red-team tools are repurposed by hostile actors. AdaptixC2 was built as a post-exploitation and adversarial emulation framework for legitimate testing, but security researchers have tracked its use in ransomware and espionage-linked campaigns. Its adoption by different operators illustrates how publicly available or dual-use tools can lower the cost of building capable intrusion chains while making attribution harder.
Taiwan has remained a sustained target for cyber operations tied to regional political and strategic tensions, while Czech institutions have also faced heightened scrutiny because of Prague’s engagement with Taiwan and broader European concerns over state-aligned cyber activity. Operation Dragon Weave brings those theatres together through carefully localised lures and a cloud-based communications method intended to blend into ordinary business traffic.
The campaign places fresh pressure on defenders to monitor legitimate cloud services for suspicious patterns rather than relying only on blocklists of known malicious infrastructure. Endpoint telemetry, behavioural detection, script execution controls, attachment filtering and cloud-access monitoring are all relevant to detecting attacks of this kind. Particular attention is likely to fall on unusual ZIP attachments, double-extension files, shortcut-based execution, unexpected DLL sideloading and outbound storage traffic that does not match normal organisational usage.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
