Seqrite Labs uncovered a new campaign, Operation Dragon Weave, that delivers a Rust‑based AdaptixC2 implant via sophisticated spear‑phishing ZIP files. The attack uses DLL side‑loading and Azure Blob “dead‑drop” C2, and is part of a broader surge of China‑aligned activity that also includes the TencShell implant and other toolkits such as SteppeDriver and PhiliKit.
A new espionage push hits Europe and East Asia
Security researchers at Seqrite Labs reported a fresh cyber‑espionage campaign they have dubbed Operation Dragon Weave. The group behind the operation, believed to be China‑aligned, has been sending spear‑phishing emails with malicious ZIP attachments to victims in the Czech Republic and Taiwan. Targeted sectors span government, research, academia, technology firms and financial services.
How the infection chain works
The ZIP payload is deceptively organized. When opened, it reveals two possible execution paths:
- Shortcut (LNK) route – The attacker disguises a Windows shortcut as a PDF. Clicking it launches a PowerShell script that extracts an executable named
RuntimeBroker_update.exefrom an embedded.datfile and runs it. - Direct binary route – The victim runs a Rust‑compiled dropper directly from the archive, which in turn launches the same
RuntimeBroker_update.exe.
Both routes converge on a DLL side‑loading technique. The dropper loads a legitimate‑looking UnityPlayer.dll, which actually pulls in a Rust loader called RUSTCLOAK. RUSTCLOAK performs sandbox checks, decrypts the final payload and starts the AdaptixC2 agent, internally codenamed AZUREVEIL.
"When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background," said Priya Patel, senior researcher at Seqrite Labs.
Azure Blob dead‑drop C2
AZUREVEIL does not use a classic push‑based command‑and‑control channel. Instead, it writes data to a Microsoft Azure Blob Storage container that the attacker also monitors. This dead‑drop model means the infected host never directly contacts the attacker’s server, making network detection harder.
"The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide," the lab noted.
The implant supports 36 commands, including:
- File upload/download
- Shell command execution
- Process enumeration and termination
- Port forwarding and SOCKS proxy control
- In‑memory execution of Beacon Object Files (BOFs)
- Remote C2 server management
These capabilities give the adversary full control over the compromised endpoint.
Related China‑aligned activity
Seqrite’s findings appear alongside a wave of other China‑linked operations reported in the last six months:
| Campaign / Tool | Notable Traits | Recent Targets |
|---|---|---|
| TencShell (Cato Networks) | Go‑based implant derived from open‑source rshell; uses Tencent‑styled API impersonation |
Indian branch of a global manufacturer |
| SteppeDriver (ESET) | Malware family using ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, MKTDownloader | France, Mongolia, South America |
| PhiliKit (UNC5221) | Passive backdoor for shell/Python/Perl execution; linked to SPAWN suite | Various European NGOs |
| NegativeGlimmer (linked to TGR‑STA‑1030) | DLL side‑loading chain delivering AdaptixC2 or Cobalt Strike; observed in Panama, Cambodia, South Korea | Government and critical‑infrastructure orgs |
ESET’s Jean‑Ian Boutin warned that the South Korean targeting aligns with Beijing’s strategic focus on technologies outlined in the Made in China 2025 policy.
Practical takeaways for defenders
- Inspect ZIP attachments carefully – Look for unexpected LNK files or executables hidden inside archives. Automated sandboxing should be configured to unpack nested files and flag side‑loading patterns.
- Monitor Azure Blob traffic – While Azure is a legitimate service, unusual outbound HTTPS requests to storage endpoints (especially with long, random container names) merit investigation.
- Enforce DLL loading hygiene – Use Windows Defender Application Control (WDAC) or similar policies to restrict which directories can host DLLs for privileged processes.
- Leverage threat‑intel feeds – Indicators of compromise (IOCs) for
RuntimeBroker_update.exe,UnityPlayer.dllside‑loads, and the RUSTCLOAK loader are now shared by Seqrite Labs. Adding them to SIEM correlation rules can surface hidden infections. - Apply layered email defenses – Combine URL‑reputation filtering, attachment sandboxing, and user training that emphasizes “don’t open unexpected ZIP files, even if they appear to contain PDFs.”
Where to find more information
- Full technical analysis from Seqrite Labs: Operation Dragon Weave Report
- Cato Networks blog on TencShell: TencShell – A New Go Implant
- ESET’s overview of SteppeDriver: SteppeDriver Threat Brief
- Palo Alto Networks Unit 42 on TGR‑STA‑1030: Unit 42 Report
Staying ahead of these campaigns requires a mix of technical controls, threat‑intel integration, and user awareness. By tightening email gateways, scrutinizing cloud‑storage traffic, and enforcing strict DLL loading policies, organizations can reduce the attack surface that groups like Dragon Weave rely on.
For continuous updates on emerging threats, follow our security newsletter and keep an eye on the Threat Intelligence section of our site.
Comments
Please log in or register to join the discussion