Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: dragon-weave (1 article)Clear

Operation Dragon Weave: China-aligned spear-phishing hits Czech and Taiwan officials with Rust RUSTCLOAK loader and Azure-hosted AdaptixC2

Seqrite Labs has documented Operation Dragon Weave, a China-aligned cyber-espionage campaign targeting government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan. Spear-phishing emails carry ZIP attachments that trigger one of two infection chains: a malicious LNK file masquerading as a PDF that runs PowerShell, or a self-contained Rust dropper launched directly. Both extract RuntimeBroker_update.exe, which DLL-sideloads a malicious UnityPlayer.dll to deploy a Rust loader called RUSTCLOAK. RUSTCLOAK decrypts and runs the final payload, an AdaptixC2 agent codenamed AZUREVEIL that uses Microsoft Azure Blob Storage for command-and-control. The use of legitimate cloud services for C2 and Rust tooling complicates detection.

Check
Hunt for LNK files masquerading as PDFs, RuntimeBroker_update.exe, and DLL side-loading of UnityPlayer.dll. Search egress for AdaptixC2 traffic to Azure Blob Storage endpoints. Apply Seqrite IoCs.
Affected
Government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan - Dragon Weave's named targets. Spear-phishing with ZIP attachments is the delivery vector.
Fix
Block ZIP-with-LNK email attachments at the gateway. Restrict PowerShell for standard users. Hunt for RUSTCLOAK and AZUREVEIL indicators. Monitor anomalous outbound Azure Blob Storage connections.