China-Aligned Cyber Groups Intensify Attacks: Operation Dragon Weave Targets Czech Republic and Taiwan
A sophisticated cyber espionage campaign, dubbed Operation Dragon Weave, has been identified targeting officials and citizens in the Czech Republic and Taiwan. This operation employs a malware agent known as AdaptixC2 to infiltrate systems within government, research, academic, technology, and financial sectors.
Seqrite Labs reports that the attackers utilize spear-phishing emails containing ZIP attachments to initiate the infection process. Upon extraction, these archives reveal multiple files that, while appearing legitimate, are designed to execute malicious payloads covertly. Security researcher Priya Patel notes that this structured infection chain is meticulously crafted to deploy harmful software in the background.
The attack unfolds through two primary pathways:
1. Shortcut File Execution: The recipient opens a Windows Shortcut (LNK) file disguised as a PDF document, triggering a PowerShell script. This script extracts and runs an executable named RuntimeBroker_update.exe from an intermediate DAT file.
2. Direct Binary Execution: The victim directly launches a binary from the archive, which acts as a Rust-based dropper to execute RuntimeBroker_update.exe.
In both scenarios, the executable employs a technique called DLL side-loading to load a malicious DLL (UnityPlayer.dll), leading to the deployment of a Rust-based loader named RUSTCLOAK. This loader decrypts and executes the main payload, the AdaptixC2 agent, referred to as AZUREVEIL due to its use of Microsoft Azure Blob Storage for command-and-control (C2) communications.
AZUREVEIL is engineered to perform anti-analysis checks, ensuring it operates only outside sandboxed environments. Seqrite Labs highlights that the malware communicates solely with Azure Blob Storage, a service widely used by legitimate enterprises. Instead of traditional C2 models, AZUREVEIL adopts a dead drop approach, where both the attacker and the infected system use the same Azure storage container to exchange data, eliminating direct communication.
The malware supports 36 commands, enabling a range of post-compromise activities, including:
– File operations
– File uploads and downloads
– Shell command execution
– Process enumeration and termination
– Port forwarding
– SOCKS proxy control
– C2 server management
– In-memory execution of Beacon Object Files (BOFs)
These capabilities grant attackers full control over compromised systems. While the specific threat actor behind Operation Dragon Weave remains unidentified, assessments suggest alignment with Chinese interests.
In a related development, Cato Networks detected and thwarted an intrusion attempt targeting the Indian branch of an undisclosed global manufacturing company. The attackers aimed to deploy TencShell, a previously undocumented Go-based implant derived from the open-source rshell C2 framework. Indicators such as the historical use of rshell, Tencent-themed API impersonation, and infrastructure patterns point to China-nexus threat actors. The initial access vector for this intrusion remains unknown.
If successful, TencShell could have provided attackers with remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a pathway to deploy additional tools.
These incidents underscore the escalating cyber threats posed by China-aligned groups, emphasizing the need for robust cybersecurity measures and vigilance across all sectors.
