Executive Summary
Operation Dragon Weave is a cyber espionage campaign identified in May 2026, targeting officials and citizens in the Czech Republic and Taiwan. The attackers employed spear-phishing emails with ZIP attachments to initiate an infection chain that utilized a Rust-based loader to deploy the AdaptixC2 agent, known as AZUREVEIL. This agent facilitated data exfiltration and remote control by leveraging Microsoft Azure Blob Storage for command-and-control communications, effectively blending malicious traffic with legitimate cloud activity. The campaign specifically targeted sectors such as government, research, academia, technology, and financial services, indicating a strategic focus on sensitive information.
The use of AdaptixC2 in this campaign underscores a growing trend where open-source penetration testing tools are repurposed by threat actors for malicious activities. This incident highlights the need for organizations to enhance their detection capabilities and adopt proactive defense measures to counter sophisticated attack vectors that exploit legitimate cloud services for covert operations.
Why This Matters Now
The exploitation of legitimate cloud services like Microsoft Azure for command-and-control communications in Operation Dragon Weave demonstrates an evolving threat landscape where attackers increasingly use trusted platforms to evade detection. Organizations must adapt their security strategies to monitor and analyze cloud traffic effectively, ensuring that malicious activities are identified and mitigated promptly.
Attack Path Analysis
Operation Dragon Weave targeted officials and citizens in the Czech Republic and Taiwan through spear-phishing emails containing ZIP attachments. Upon extraction, these archives deployed a Rust-based loader that executed the AdaptixC2 agent, granting attackers remote control and data exfiltration capabilities.
Kill Chain Progression
Initial Compromise
Description
Attackers sent spear-phishing emails with ZIP attachments to targets in the Czech Republic and Taiwan. When extracted, these archives contained files that appeared legitimate but initiated a structured infection chain.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Obfuscated Files or Information
Ingress Tool Transfer
Command and Scripting Interpreter: Windows Command Shell
Application Layer Protocol: Web Protocols
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Czech Republic government officials targeted by Operation Dragon Weave spear-phishing campaign, exploiting unencrypted traffic and requiring zero trust segmentation for protection.
Financial Services
Financial sector faces cyber espionage through AdaptixC2 agents via ZIP attachments, necessitating egress security controls and encrypted traffic monitoring capabilities.
Higher Education/Acadamia
Academic institutions vulnerable to Dragon Weave attacks targeting research data, requiring multicloud visibility and anomaly detection for lateral movement prevention.
Information Technology/IT
Technology sector exposed to China-aligned espionage campaigns leveraging covert tools like AnyDesk, demanding comprehensive threat detection and policy enforcement solutions.
Sources
- China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwanhttps://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.htmlVerified
- Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/Verified
- Backdoor:Win64/AdaptixC2.MKC!MTB threat description - Microsoft Security Intelligencehttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor%3AWin64%2FAdaptixC2.MKC%21MTB&ThreatID=2147970599Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF would likely limit the attacker's ability to establish initial footholds by enforcing strict segmentation and access controls.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict identity-based access controls.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely limit the attacker's ability to move laterally by enforcing strict segmentation and monitoring of internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by monitoring and controlling cross-cloud communications.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict outbound traffic policies.
The CNSF would likely limit the overall impact of the attack by containing the threat within a segmented environment, reducing the blast radius and preventing further spread.
Impact at a Glance
Affected Business Functions
- Government Operations
- Research and Development
- Academic Administration
- Financial Services
Estimated downtime: 7 days
Estimated loss: $500,000
Sensitive government documents, proprietary research data, academic records, and financial information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering to detect and block spear-phishing attempts.
- • Enforce strict application control policies to prevent unauthorized execution of untrusted binaries.
- • Deploy endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities.
- • Utilize network segmentation to limit lateral movement opportunities for attackers.
- • Regularly update and patch systems to mitigate vulnerabilities exploited by malware loaders.
