A newly identified cyber espionage campaign, dubbed Operation Dragon Weave, is actively targeting government officials, researchers, and organizations in the Czech Republic and Taiwan. Security researchers have linked the operation to the deployment of an advanced malware framework known as AdaptixC2, highlighting the growing sophistication of state-aligned cyber threats.
Government and Research Sectors Under Attack
Researchers at Seqrite Labs discovered that the campaign primarily focuses on organizations operating in:
- Government agencies
- Research institutions
- Academic organizations
- Technology companies
- Financial services firms
The attackers rely on highly targeted spear-phishing emails containing ZIP file attachments. Once opened, these files initiate a multi-stage infection chain designed to silently deploy malware while avoiding detection.
According to researchers, the ZIP archives contain seemingly legitimate files that conceal a carefully structured attack sequence capable of executing malicious payloads in the background.
How the Infection Chain Works
Operation Dragon Weave employs two separate infection methods, both ultimately delivering the same malware payload.
Method 1: Malicious Shortcut File
In the first scenario, victims open what appears to be a PDF document. However, the file is actually a malicious Windows Shortcut (LNK) file.
When executed, the shortcut launches a PowerShell script that:
- Extracts a hidden executable named RuntimeBroker_update.exe from a DAT file.
- Executes the extracted file.
- Triggers the next stage of the malware deployment process.
Method 2: Rust-Based Dropper
The second infection path involves victims directly launching an executable contained within the ZIP archive.
This binary functions as a standalone Rust-based dropper, whose sole purpose is to execute RuntimeBroker_update.exe and continue the attack sequence.
DLL Side-Loading Leads to RUSTCLOAK Deployment
Regardless of which infection method is used, the attack eventually abuses DLL side-loading techniques.
The executable loads a malicious DLL named UnityPlayer.dll, which then deploys a Rust-based loader known as RUSTCLOAK.
RUSTCLOAK serves several important functions:
- Decrypts the final malware payload
- Executes malicious code in memory
- Performs anti-analysis and anti-sandbox checks
- Helps evade security monitoring tools
Only after these checks are completed does the malware proceed with full execution.
AZUREVEIL: AdaptixC2 Malware Hidden Behind Azure
The final payload delivered by RUSTCLOAK is an AdaptixC2 agent called AZUREVEIL.
What makes AZUREVEIL particularly dangerous is its use of Microsoft Azure Blob Storage as a command-and-control (C2) channel.
Instead of communicating directly with attacker-controlled servers, the malware uses a dead-drop communication model:
- Infected systems upload data to Azure storage containers.
- Attackers retrieve the data from the same storage location.
- Commands are placed back into the container for the malware to retrieve.
This indirect communication approach makes detection significantly more difficult because Azure Blob Storage is a legitimate cloud service widely used by businesses worldwide.
Extensive Post-Compromise Capabilities
Researchers identified 36 different commands supported by AZUREVEIL, enabling attackers to perform a broad range of malicious activities, including:
- File creation, deletion, and modification
- File uploads and downloads
- Remote shell command execution
- Process monitoring and termination
- Port forwarding
- SOCKS proxy management
- Command-and-control management
- In-memory execution of Beacon Object Files (BOFs)
These capabilities effectively provide attackers with complete control over compromised systems.
Suspected China-Linked Activity
Although Seqrite Labs has not formally attributed Operation Dragon Weave to a specific threat group, researchers assess the campaign to be China-aligned based on observed tactics, techniques, and infrastructure patterns.
TencShell Malware Targets Global Manufacturing Firm
In a separate but related development, Cato Networks recently detected an attempted intrusion targeting the Indian branch of a global manufacturing company.
The attackers attempted to deploy a previously undocumented malware implant called TencShell, a Go-based backdoor derived from the open-source rshell C2 framework.
Researchers believe the operation may also be linked to Chinese threat actors due to:
- Historical use of rshell by China-linked groups
- Infrastructure similarities
- Impersonation of Tencent-themed APIs
If successfully deployed, TencShell could have enabled:
- Remote command execution
- In-memory payload deployment
- Network pivoting
- Proxy services
- System reconnaissance
- Additional malware deployment
The initial access method used in the attack remains unknown.
China-Linked Threat Activity Continues to Rise
Recent research from ESET indicates that China-aligned cyber espionage groups remained highly active worldwide between October 2025 and March 2026.
Among the notable findings was the discovery of a previously unreported cluster known as SteppeDriver, which has targeted organizations in:
- France
- Mongolia
- Multiple South American countries
The group has been observed using a variety of malware tools, including:
- ShadowPad
- COOLCLIENT
- CurlyDoor
- RudeGull
- MKTDownloader
New Backdoor Toolkit: PhiliKit
ESET also uncovered a new malware toolkit named PhiliKit, associated with the threat cluster UNC5221.
PhiliKit functions as a passive backdoor capable of:
- Executing shell commands
- Running Python scripts
- Launching Perl scripts
Researchers suspect it forms part of the broader SPAWN malware ecosystem previously linked to Chinese cyber operations.
NegativeGlimmer Expands Global Operations
Another China-linked threat actor, NegativeGlimmer, has been connected to campaigns targeting government and critical infrastructure organizations worldwide.
The group shares operational similarities with TGR-STA-1030, which reportedly compromised more than 70 government and critical infrastructure organizations across 37 countries over the past year.
In December 2025, NegativeGlimmer targeted a government organization in Panama using a spear-phishing campaign that leveraged DLL side-loading to deploy a downloader. The malware subsequently installed AdaptixC2 while displaying a decoy document to avoid raising suspicion.
Later campaigns observed in January 2026 replaced AdaptixC2 with Cobalt Strike, with additional victims identified in Cambodia and South Korea.
Researchers note that the South Korean targeting aligns with China’s long-standing interest in strategic technologies associated with the country’s Made in China 2025 industrial development initiative.
Final Thoughts
Operation Dragon Weave demonstrates how modern cyber espionage campaigns increasingly leverage legitimate cloud services to conceal malicious activity. By abusing Microsoft Azure infrastructure, employing sophisticated Rust-based loaders, and deploying feature-rich malware such as AZUREVEIL, attackers can maintain stealth while gaining extensive control over targeted environments.
As nation-state cyber operations continue to evolve, organizations in government, research, technology, and critical infrastructure sectors should remain vigilant against spear-phishing campaigns, monitor cloud-service abuse, and strengthen endpoint detection capabilities to defend against emerging threats.
