China-aligned threat actors are currently directing targeted operations against specific organizations in the Czech Republic and Taiwan. The primary objective appears to be unauthorized data access, with operations focusing on well-defined sectors: government and the public sector, research and academia, technology and software, and financial services.
Security vendor Seqrite documented this activity under the name "Operation Dragon Weave." The campaign relies on a spear-phishing methodology that begins with an email containing a ZIP archive. The messages use social engineering, instructing the recipient to open the attached files under the guise of an upcoming business meeting. In one instance targeting the Czech Republic, the email referenced a fabricated appointment with the Czech Social Security Administration (ČSSZ).
Regional context and targeting methodology
Seqrite assesses with moderate confidence that the campaign aligns with Chinese state interests, though they have not attributed the activity to a specific advanced persistent threat (APT) group.
While the targeting of Taiwanese organizations aligns with established geopolitical patterns, the focus on the Czech Republic reflects a more complex international relationship. According to Alexis Rapin, a cyber threat analyst at ESET, the Czech Republic maintains close ties with Taiwan, which likely elevates its profile among China-aligned threat actors. The Czech government has also experienced diplomatic friction with China regarding international alliances and the war in Ukraine.
"Based on our telemetry, it appears that Chinese APTs' interest roughly aligns with this broad timeline: we saw them starting to target CZ rather frequently in 2023, with governmental organizations as the most common target. Academia and the non-profit sector come in second," Rapin explained. He noted that the Czech Republic appears to be a recurrent intelligence-collection priority for these groups in Europe.
Dual-path deployment sequence
The ZIP file distributed in the spear-phishing emails contains multiple components, including an executable file that spawns a decoy PDF. The decoy document contains plausible details, such as instructions for a purported ČSSZ appointment, to avoid raising the recipient's suspicion.
The operation uses two distinct methods for deployment on targeted systems:
Shortcut execution: The primary deployment method involves an LNK shortcut file enclosed in the archive. When executed, this shortcut silently triggers a VBScript file (
empty.vbs), which in turn launches a PowerShell script (Profile.ps1). The script decrypts a file named1.datand executes the decrypted content via a file namedRuntimeBroker_update.exe.Direct executable deployment: If the recipient instead opens the primary executable file (
_計畫申請審查結果通知單.exe), the binary functions as a self-contained, Rust-based extraction utility. It unpacks all necessary components independently and then launches the sameRuntimeBroker_update.exefile.
Seqrite notes that this dual-method approach increases the likelihood of a successful deployment. In both scenarios, RuntimeBroker_update.exe uses DLL sideloading to run an unauthorized DLL (UnityPlayer.dll), which then executes a Rust-based loader identified as "Rustcloak."
Rustcloak loader and Azureveil command-and-control
The Rustcloak loader performs environmental checks to prevent execution within security analysis environments. It retrieves the system's computer name and checks it against a hardcoded list of over 100 known sandbox and security analyst machine names. If the system matches an entry on the list, the loader terminates the process, and the final component is not deployed.
If the environment passes these checks, Rustcloak decrypts and executes "Azureveil," an Adaptix command-and-control (C2) agent.
Azureveil's command-and-control infrastructure relies on Microsoft Azure Blob Storage, utilizing a "dead-drop" operational model rather than direct communication. Seqrite researchers identified that the agent and the threat actor share the same Azure storage container to exchange data.
The Azureveil agent periodically uploads a small encrypted model—approximately 124 bytes—to indicate it is active. The threat actor places encrypted commands in the same container. The agent retrieves, decrypts, and executes these commands, then uploads the results back as encrypted blobs. This configuration allows the unauthorized party to execute instructions and extract files without maintaining a persistent, direct network connection to the targeted system.
Guidance and protective measures
Because Operation Dragon Weave relies on spear-phishing to initiate its deployment sequence, organizations have several defensive options to secure their environments. The Seqrite research team recommends implementing the following protective measures:
Conduct periodic security awareness assessments focused on relevant phishing methodologies, vulnerabilities, and potential operational impacts.
Monitor and centralize system and network logs using a security incident and event management (SIEM) solution.
Deploy endpoint detection and response (EDR), extended detection and response (XDR), and file integrity monitoring (FIM) tools.
Monitor process execution continuously to detect anomalies, such as unexpected PowerShell activity or DLL sideloading.
Employ email filtering configurations designed to quarantine messages containing unauthorized archive types or suspicious shortcut files.
Original reporting context: This analysis incorporates coverage by Dark Reading senior news writer Alexander Culafi. Culafi, a 2016 Emerson College journalism graduate, is a Boston-based technical journalist who covers the cybercrime ecosystem, open-source security, and AI topics. His previous bylines include VentureFizz, Search Security, and Nintendo World Report. He hosts the "Talk Nintendo Podcast" and has authored two self-published science fiction novels. His reporting has earned TechTarget's 2022 Writer of the Year award and more than 10 Azbee awards.