top of page
perceptive_background_267k.jpg

China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan

Published:

1 juni 2026 om 11:54:24

Alert date:

1 juni 2026 om 15:01:43

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Critical Infrastructure, Email & Messaging

China-aligned threat actors launched Operation Dragon Weave, a cyber espionage campaign targeting officials and citizens in the Czech Republic and Taiwan. The campaign delivers AdaptixC2 agent through spear-phishing emails containing ZIP attachments. Targets include government, research, academic, technology, and financial services sectors. The operation represents an escalation in China-aligned cyber activities against these specific countries.

Technical details

Operation Dragon Weave is a cyber espionage campaign targeting Czech Republic and Taiwan using spear-phishing emails with ZIP attachments. The attack uses two infection paths: 1) malicious Windows Shortcut (LNK) file masquerading as PDF that executes PowerShell script to extract and run RuntimeBroker_update.exe from DAT file, 2) direct execution of Rust-based dropper binary. Both paths lead to DLL side-loading of UnityPlayer.dll, deploying RUSTCLOAK loader that decrypts and runs AZUREVEIL AdaptixC2 agent. AZUREVEIL uses Microsoft Azure Blob Storage for C2 communications via dead drop approach, supports 36 commands including file operations, shell execution, process management, port forwarding, SOCKS proxy, and Beacon Object Files execution. Additional campaigns include TencShell implant derived from rshell framework targeting Indian manufacturing, and PhiliKit backdoor linked to UNC5221 group.

Mitigation steps:

Monitor for spear-phishing emails with ZIP attachments, detect malicious LNK files masquerading as PDFs, implement anti-analysis detection for sandboxed environments, monitor Azure Blob Storage communications for suspicious dead drop patterns, watch for DLL side-loading activities involving UnityPlayer.dll and RuntimeBroker_update.exe, and implement detection for the 36 AZUREVEIL command capabilities including file operations and remote execution.

Affected products:

Microsoft Azure Blob Storage
Windows (LNK files
PowerShell
DLL side-loading)
AdaptixC2
Cobalt Strike
ShadowPad
COOLCLIENT
CurlyDoor
RudeGull
MKTDownloader
rshell C2 framework

Related links:

https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html
https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
https://attack.mitre.org/techniques/T1102/001/
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
https://thehackernews.com/2022/08/chinese-hackers-backdoored-mimi-chat.html
https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2025-q1-2026/
https://thehackernews.com/2025/02/chinese-linked-attackers-exploit-check.html
https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html
https://thehackernews.com/2025/09/unc5221-uses-brickstorm-backdoor-to.html
https://thehackernews.com/2025/04/critical-ivanti-flaw-actively-exploited.html
https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html

Related CVE's:

Related threat actors:

IOC's:

RuntimeBroker_update.exe, UnityPlayer.dll, RUSTCLOAK loader, AZUREVEIL AdaptixC2 agent, TencShell implant, PhiliKit backdoor

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page