Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Operation Dragon Weave is a China-linked cyber espionage campaign targeting organizations in the Czech Republic and Taiwan. The attack uses spear-phishing emails, Rust-based malware, and Azure Blob Storage for command-and-control communications. By disguising malicious activity within trusted cloud services, the campaign makes detection more difficult, highlighting the need for strong email security, endpoint visibility, and proactive threat hunting.
Cybersecurity researchers have uncovered a sophisticated cyber espionage campaign known as Operation Dragon Weave, targeting organizations across the Czech Republic and Taiwan. The operation has been attributed to Chinese nation-state threat actors and demonstrates a combination of social engineering, cloud-native command-and-control techniques, and advanced malware delivery mechanisms.
Organizations in government, public services, research institutions, academia, technology, software development, and financial services sectors have been identified as primary targets. The campaign highlights how modern threat actors continue to evolve their tactics to evade traditional security controls while maintaining long-term access to compromised environments.
Attackers rely on a carefully structured, multi-stage infection chain that combines social engineering, malware delivery, and stealthy command-and-control techniques. The campaign is designed to maximize execution success while minimizing the chances of detection.
The attack begins with carefully crafted spear-phishing emails designed to appear legitimate. Victims receive messages containing ZIP file attachments accompanied by believable themes such as business meeting invitations or appointments related to the Czech Social Security Administration.
These lures increase the likelihood of user interaction and help attackers bypass initial suspicion.
Once the ZIP archive is opened, victims are presented with multiple files that support two separate infection methods.
One infection path relies on a malicious Windows shortcut (LNK) file. When opened, the shortcut launches PowerShell commands that decrypt and execute additional malicious components hidden within the archive.
The second path involves a self-contained executable that functions as a Rust-based dropper. This executable performs the malware deployment process directly without requiring additional user interaction.
Although the delivery mechanisms differ, both infection paths ultimately converge on the same execution chain.
Regardless of the initial entry method, the infection process eventually executes RuntimeBroker_update.exe, which loads a malicious DLL file. This DLL acts as a bridge for launching Rustcloak, the campaign’s Rust-based malware loader.
Rustcloak plays a critical role in the operation by preparing the environment before deploying the final payload.
One of its most notable capabilities is its extensive anti-analysis functionality. Researchers observed checks against more than 100 known sandbox environments and analyst machine names. If Rustcloak detects that it is running inside a security research environment, it can alter its behavior or terminate execution entirely.
These anti-analysis techniques significantly reduce the chances of automated malware detection and reverse engineering.
Threat actors increasingly favor Rust for malware development because it offers several advantages:
As Rust adoption grows among developers, security teams should expect to encounter more malware families built using the language.
After Rustcloak completes its execution phase, the final payload known as Azureveil is deployed.
Azureveil is an Adaptix command-and-control (C2) agent designed to maintain communication with attacker-controlled infrastructure while minimizing detection opportunities.
Unlike traditional malware that communicates directly with attacker-owned servers, Azureveil leverages Microsoft Azure Blob Storage as a dead-drop channel.
This approach allows malicious traffic to blend with legitimate cloud communications, making detection significantly more difficult for organizations that rely heavily on cloud services.
Azureveil can:
Because communications occur through trusted cloud services, conventional network-based detection methods may struggle to identify malicious activity.
Operation Dragon Weave demonstrates several trends commonly seen in modern China cyber espionage campaigns.
Attackers are increasingly combining:
The campaign also serves as a reminder that a successful Taiwan cyberattack or government-focused espionage operation often begins with a single user interaction.
Security teams should pay particular attention to:
Organizations facing sophisticated nation-state threats require strong visibility into endpoint activity, user actions, process behavior, and incident patterns. Since campaigns like Operation Dragon Weave often begin with user interaction and progress through multi-stage execution chains, security teams need enough endpoint context to understand what happened, how the threat moved forward, and which systems may be affected.
Hexnode XDR can help security teams identify suspicious endpoint activity associated with advanced attack campaigns like Operation Dragon Weave. This includes unusual process behavior, script execution patterns, and anomalies surfaced through incident data.
By analyzing process-level activity and correlating events within a device, Hexnode XDR enables security teams to investigate potential threats more effectively. This deeper endpoint context helps analysts understand how suspicious activity unfolds, validate incidents faster, and respond before threats escalate.
In addition to detection capabilities, Hexnode UEM helps organizations reduce attack surface exposure through centralized endpoint management.
Key capabilities include:
These controls can help prevent malicious payloads from executing and limit attacker movement within the environment.
Operation Dragon Weave highlights the growing sophistication of modern cyber espionage operations. By combining spear-phishing, Rust-based malware, anti-analysis techniques, and cloud-hosted command-and-control infrastructure, attackers can increase stealth while reducing the likelihood of detection.
Organizations should strengthen email security controls, improve endpoint visibility, and adopt cloud-aware detection strategies to defend against similar campaigns. As nation-state actors continue to evolve their techniques, proactive monitoring and rapid containment capabilities will remain essential components of enterprise security programs.
Try Hexnode XDR free for 14 days to stay ahead of emerging cyber threats and attacks.
Start Your Free Trial!Using trusted cloud platforms helps attackers blend malicious traffic with normal business activity, making it harder for security tools and analysts to distinguish harmful communications from legitimate ones.
Threat hunting helps security teams proactively search for suspicious behaviors that may not trigger traditional alerts, enabling earlier detection of sophisticated threats before significant damage occurs.
