A recent spearphishing campaign has emerged, targeting government officials, researchers, and technology professionals in the Czech Republic and Taiwan. Identified as ‘Operation Dragon Weave’, this attack originates from a China-linked threat actor, first detected in Taiwan in March 2026.
Operation Dragon Weave Unveiled
The campaign delivers a multi-layered attack that deploys a potent remote access tool within trusted cloud environments. The initial phase involves a ZIP archive sent via email, containing files resembling official government documents. These files, written in Traditional Chinese, include a decoy document mimicking a Czech Social Security Administration appointment notice, showcasing the attackers’ detailed approach.
The sophistication of these lures indicates a well-resourced and targeted espionage operation, specifically aimed at these regions. Cybersecurity firm Seqrite, which uncovered the campaign, highlighted two separate attack paths within the archive. Both paths lead to the same malicious outcome, demonstrating the operation’s meticulous planning.
Technical Breakdown of the Attack
The infection chain concludes with a Rust-based loader, RUSTCLOAK, which decrypts the final payload using modified RC4, Base64, and AES-CBC encryption. This loader also checks for sandbox environments by comparing machine names against a list, ensuring stealth if detected.
The ultimate payload, AZUREVEIL, is an Adaptix command-and-control agent that uses Microsoft Azure Blob Storage for communication, making it difficult for network monitors to detect. This method employs a dead-drop resolver approach, where the attacker and infected system interact through the cloud rather than direct communication, complicating detection efforts.
Implications and Recommendations
The campaign’s complexity is evident in its ability to execute 36 post-exploitation commands in memory without leaving traces on disk. AZUREVEIL’s use of a Shared Access Signature token, valid until March 2027, suggests long-term malicious intent.
Organizations are advised to monitor traffic to Azure endpoints for unusual activities, enforce strict PowerShell and VBScript policies, and disable LNK file execution from archives. Endpoints capable of identifying in-memory execution are crucial, especially for entities in geopolitically sensitive areas.
Seqrite’s analysis revealed a potential operational oversight, with a Rust build path containing a username embedded in the RUSTCLOAK binary. This detail could aid future attribution efforts, underscoring the importance of thorough analysis.
As cyber threats continue to evolve, vigilance and advanced security measures remain essential for protecting sensitive data and infrastructure.
