Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: adaptixc2 (2 articles)Clear

Operation Dragon Weave: China-aligned spear-phishing hits Czech and Taiwan officials with Rust RUSTCLOAK loader and Azure-hosted AdaptixC2

Seqrite Labs has documented Operation Dragon Weave, a China-aligned cyber-espionage campaign targeting government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan. Spear-phishing emails carry ZIP attachments that trigger one of two infection chains: a malicious LNK file masquerading as a PDF that runs PowerShell, or a self-contained Rust dropper launched directly. Both extract RuntimeBroker_update.exe, which DLL-sideloads a malicious UnityPlayer.dll to deploy a Rust loader called RUSTCLOAK. RUSTCLOAK decrypts and runs the final payload, an AdaptixC2 agent codenamed AZUREVEIL that uses Microsoft Azure Blob Storage for command-and-control. The use of legitimate cloud services for C2 and Rust tooling complicates detection.

Check
Hunt for LNK files masquerading as PDFs, RuntimeBroker_update.exe, and DLL side-loading of UnityPlayer.dll. Search egress for AdaptixC2 traffic to Azure Blob Storage endpoints. Apply Seqrite IoCs.
Affected
Government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan - Dragon Weave's named targets. Spear-phishing with ZIP attachments is the delivery vector.
Fix
Block ZIP-with-LNK email attachments at the gateway. Restrict PowerShell for standard users. Hunt for RUSTCLOAK and AZUREVEIL indicators. Monitor anomalous outbound Azure Blob Storage connections.

Tropic Trooper ditches Cobalt Strike for AdaptixC2 - new campaign against Taiwan, South Korea, and Japan uses trojanized SumatraPDF, GitHub C2, and VS Code tunnels for remote access

Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.

Check
Hunt your fleet for unexpected VS Code tunnel sessions from non-developer endpoints and block 'code tunnel user login' outside approved developer accounts.
Affected
Organizations with operations or staff in Taiwan, South Korea, or Japan working on Indo-Pacific security, defense policy, or AUKUS-adjacent topics. Any environment where VS Code is broadly installed (including non-developer roles) is exposed to the tunnel pivot. The trojanized SumatraPDF binary keeps the original signature structure intact in some samples.
Fix
Block .exe masquerading as documents at email and web gateways. Alert on encrypted POSTs to GitHub Issues from non-developer endpoints. Detect the VS Code tunnel pivot by alerting on 'code tunnel user login' from any account without a documented dev workflow. Audit corporate GitHub OAuth grants. Consider removing VS Code from non-developer endpoints entirely.