Executive Summary
In May 2026, a cyber espionage campaign named Operation Dragon Weave targeted government, research, academic, technology, and financial sectors in the Czech Republic and Taiwan. Attackers employed spear-phishing emails with ZIP attachments containing malicious files. Victims opening these files initiated an infection chain deploying the AdaptixC2 agent, enabling data exfiltration and remote control. The campaign utilized two infection methods: one involving a malicious Windows Shortcut (LNK) file disguised as a PDF, and another using a Rust-based dropper. Both methods led to the execution of a Rust-based loader called RUSTCLOAK, which decrypted and ran the final payload, AZUREVEIL. AZUREVEIL leveraged Microsoft Azure Blob Storage for command-and-control, facilitating stealthy communication between infected systems and attackers. (thehackernews.com)
This incident underscores the evolving sophistication of nation-state cyber threats, particularly those attributed to China. The use of legitimate cloud services like Azure for command-and-control highlights the challenges in detecting and mitigating such attacks. Organizations in targeted sectors should enhance their cybersecurity measures, including employee training on phishing tactics and implementing advanced threat detection systems. (thehackernews.com)
Why This Matters Now
The Operation Dragon Weave campaign exemplifies the increasing sophistication of nation-state cyber threats, particularly those attributed to China. The use of legitimate cloud services like Azure for command-and-control highlights the challenges in detecting and mitigating such attacks. Organizations in targeted sectors should enhance their cybersecurity measures, including employee training on phishing tactics and implementing advanced threat detection systems.
Attack Path Analysis
The attack began with spear-phishing emails containing ZIP attachments, leading to the execution of a Rust-based loader that deployed the AZUREVEIL malware. This malware utilized Azure Blob Storage for command-and-control, enabling data exfiltration and remote control of compromised systems.
Kill Chain Progression
Initial Compromise
Description
Attackers sent spear-phishing emails with ZIP attachments to targets in the Czech Republic and Taiwan. Opening these attachments initiated the infection chain.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
PowerShell
Ingress Tool Transfer
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Anti-phishing mechanisms
Control ID: 5.2.2
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Training and Awareness
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Chinese nation-state espionage directly targets Czech government organizations using spear-phishing and Azureveil malware for sensitive data exfiltration operations.
Higher Education/Acadamia
Research institutions face heightened risk from Operation Dragon Weave targeting academia for intellectual property theft through encrypted traffic infiltration.
Financial Services
Financial sector targeted by dual-method cyberattacks exploiting east-west traffic vulnerabilities and lacking proper egress security policy enforcement mechanisms.
Information Technology/IT
Technology companies vulnerable to Rustcloak loader and Azure-based command-and-control attacks requiring zero trust segmentation and multicloud visibility controls.
Sources
- China Uses Dual-Method Cyberattack on Czech Orgshttps://www.darkreading.com/threat-intelligence/china-uses-dual-method-attack-czech-taiwan-orgsVerified
- Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/Verified
- China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwanhttps://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial execution of malicious attachments, it could limit the malware's ability to communicate with other workloads, reducing the potential for further compromise.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the malware's ability to exploit elevated privileges by restricting its access to sensitive resources and services.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely constrain the malware's ability to propagate internally by enforcing strict controls on inter-workload communications.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and restrict unauthorized command and control communications, even when leveraging cloud services like Azure Blob Storage.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the malware's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.
With Aviatrix Zero Trust CNSF, the overall impact of the attack would likely be reduced, as strict segmentation and control measures would limit the attacker's ability to access and exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Government Operations
- Research and Development
- Academic Administration
- Financial Services
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive government documents, research data, academic records, and financial information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering to detect and block spear-phishing attempts.
- • Deploy endpoint detection and response (EDR) solutions to identify and mitigate malicious loaders like RUSTCLOAK.
- • Utilize network segmentation to limit lateral movement within the organization.
- • Monitor and control outbound traffic to detect and prevent unauthorized data exfiltration.
- • Conduct regular security awareness training to educate employees on recognizing phishing attacks.
