A recent cyber espionage initiative, known as Operation Dragon Weave, has been identified targeting individuals and entities in the Czech Republic and Taiwan. The campaign aims to deploy the AdaptixC2 agent, according to Seqrite Labs.
Targeted Sectors and Methods
Operation Dragon Weave is primarily focused on several sectors, including government, research, academia, technology, and financial services. The attackers utilize spear-phishing emails with ZIP attachments to initiate an infection chain. This process involves a Rust loader to execute the final payload, facilitating data theft and remote system control.
Security researcher Priya Patel explained that the ZIP archive contains files that appear legitimate but are part of a sophisticated infection mechanism. These files are designed to run malicious payloads covertly.
Infection Chains and Execution
The attack employs two distinct pathways to deploy the malware. One method involves opening a deceptive Windows Shortcut (LNK) file within the ZIP archive, disguised as a PDF document. This action triggers a PowerShell script that extracts and executes a file named “RuntimeBroker_update.exe” from a DAT file.
Alternatively, the victim may execute a binary directly from the archive, which acts as a Rust-based dropper, launching the same executable. Both paths eventually lead to the loading of a malicious DLL, “UnityPlayer.dll,” using DLL side-loading techniques, culminating in the deployment of a Rust-based loader known as RUSTCLOAK.
Advanced Malware Capabilities
The RUSTCLOAK loader decrypts and executes the main payload, the AdaptixC2 agent, referred to as AZUREVEIL. This agent utilizes Microsoft Azure Blob Storage for its command-and-control operations, employing a dead drop approach to avoid direct communication between the attacker and the compromised system.
AZUREVEIL is capable of executing 36 different commands, enabling extensive post-compromise actions such as file management, shell command execution, and process control. Seqrite Labs notes that these capabilities provide attackers comprehensive control over affected endpoints. The campaign is attributed to a China-aligned threat group.
Simultaneously, Cato Networks reported intercepting an attack on an Indian branch of a global manufacturing company. The attack leveraged TencShell, a Go-based implant derived from rshell, further indicating a China-nexus.
Ongoing research by ESET highlights continued activity by China-aligned threat actors globally, with various tools and tactics observed. These include campaigns in France, Mongolia, and South America, utilizing different malware and tools over time. The evolving landscape emphasizes the persistent threat posed by state-sponsored cyber activities.
