Dragon Weave Cyber Espionage Campaign Uses Cloud-Based Malware to Target Czech Republic and Taiwan

China-Linked Cyber Espionage Campaign “Dragon Weave” Targets Czech Republic and Taiwan

A newly identified cyber espionage operation, Operation Dragon Weave, has been linked to China-aligned threat actors targeting individuals and organizations in the Czech Republic and Taiwan. The campaign delivers a remote access tool known as AdaptixC2, enabling full control over compromised systems.

Security researchers report that the attackers are focusing on government, academic, research, financial, and technology sectors, using highly targeted spear-phishing emails containing malicious ZIP archives to initiate infection chains.

Phishing-based infection chain

The attack begins with spear-phishing emails carrying ZIP attachments. Once opened, the archive deploys multiple disguised files that appear legitimate but are designed to execute malicious code in the background.

Researchers identified two main infection paths:

• In the first method, victims open a malicious Windows shortcut (LNK) file disguised as a PDF, which triggers a PowerShell script. This script extracts and executes a file named RuntimeBroker_update.exe from an embedded payload.
• In the second method, the victim directly runs a Rust-based binary from the archive, which also launches the same executable.

Both chains eventually use DLL side-loading, where a malicious DLL named UnityPlayer.dll is loaded to activate a Rust-based loader called RUSTCLOAK.

Deployment of AdaptixC2 malware

RUSTCLOAK decrypts and executes the final payload, an AdaptixC2 agent codenamed AZUREVEIL. The malware uses Microsoft Azure Blob Storage as its command-and-control infrastructure.

Instead of traditional direct communication with attacker servers, AZUREVEIL uses a dead-drop C2 model, where both attacker and victim systems exchange data indirectly through shared cloud storage. This method helps blend malicious traffic with legitimate enterprise cloud activity.

The malware also includes anti-analysis checks to ensure it runs only in environments that resemble real user systems rather than sandboxes.

Capabilities of AZUREVEIL

Once deployed, AZUREVEIL provides attackers with extensive control over infected systems. Its capabilities include:

• File creation, modification, upload, and download
• Remote shell command execution
• Process listing and termination
• Network port forwarding and SOCKS proxying
• C2 management functions
• In-memory execution of Beacon Object Files

These features allow complete system compromise and enable long-term espionage operations.

Broader China-aligned activity

The Dragon Weave campaign is part of a wider pattern of China-linked cyber activity observed globally.

Security firms also reported a separate intrusion attempt targeting the Indian branch of a manufacturing company, where attackers attempted to deploy a Go-based implant called TencShell, derived from the open-source rshell framework. The malware is capable of remote command execution, system profiling, pivoting, and proxying.

Researchers believe China-nexus actors are behind the attack based on infrastructure similarities and historical usage patterns, although the initial infection method remains unclear.

Continued global operations

Additional reports highlight ongoing activity from multiple China-aligned groups:

• ESET observed sustained operations between late 2025 and early 2026, including a cluster known as SteppeDriver, which used tools such as ShadowPad and other custom malware to target organizations across multiple regions.
• A toolkit called PhiliKit, linked to UNC5221, has been identified as a passive backdoor capable of executing shell, Python, and Perl scripts.
• Another group, NegativeGlimmer, has been associated with large-scale intrusions targeting government and critical infrastructure across dozens of countries, sometimes using DLL side-loading chains and decoy documents to mask activity.

Researchers note that some campaigns have shifted malware families over time, including the use of Cobalt Strike in later-stage attacks, indicating continuous evolution of tactics and tooling.

Experts warn that the combination of spear-phishing, cloud-based command-and-control, and modular malware design reflects increasingly sophisticated espionage operations aligned with strategic geopolitical interests.