Attack Chain and Delivery Method
A new cyber espionage campaign dubbed Operation Dragon Weave has been uncovered, specifically targeting government officials and citizens in the Czech Republic and Taiwan. The campaign, identified by Seqrite Labs, uses spear-phishing emails with ZIP attachments to initiate the infection process. The targeted sectors include government, research, academic, technology, and financial services, indicating a broad espionage focus.
Once a recipient opens the ZIP archive, the attack can proceed through one of two pathways. In the first, a malicious Windows Shortcut file disguised as a PDF triggers a PowerShell script that extracts and runs a hidden executable. In the second pathway, the victim directly launches a binary from the archive, which functions as a Rust based dropper. Both routes ultimately lead to the deployment of the final payload.
Impact and Scope of the Espionage
The final stage of the attack deploys an AdaptixC2 agent named AZUREVEIL, which uses Microsoft Azure Blob Storage for command and control communication. The malware employs a dead drop strategy, where the agent and the attacker communicate through Azure’s legitimate cloud service, making detection more challenging. The Rust based loader, called RUSTCLOAK, performs anti-analysis checks to evade sandboxed environments before decrypting and executing the main payload.
Seqrite Labs noted that the malware’s reliance on Azure Blob Storage, a service widely used by legitimate enterprises, helps it blend in with normal traffic. The campaign is believed to be aligned with Chinese interests, as previous targeted activities have shown similar patterns. No direct attribution to a specific group has been provided, but the geopolitical significance of targeting both Czech and Taiwanese entities suggests a coordinated espionage effort with potential state backing.
Source: The Hacker News
