A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent.
According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control.
“When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background,” security researcher Priya Patel said.
The attack chain uses two different pathways to launch the final-stage malware. One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document. This leads to the execution of a PowerShell script that’s responsible for extracting an executable (“RuntimeBroker_update.exe”) from an intermediate DAT file and running it.
In the second attack chain, the victim directly launches a binary from the same archive. The binary functions as a self-contained Rust-based dropper to launch “RuntimeBroker_update.exe.” Regardless of the path chosen, the executable loads a malicious DLL (“UnityPlayer.dll”) via DLL side-loading, resulting in the deployment of a Rust-based loader called RUSTCLOAK.
The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2). The loader is designed to perform anti-analysis checks to proceed only if the malware determines that it’s being run within a sandboxed environment.
“The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide,” Seqrite Labs said. “Instead of using a traditional pull-based C2 model, AZUREVEIL follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data.”
AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including file operations, file uploads and downloads, shell command execution, process enumeration and termination, port forwarding, SOCKS proxy control, C2 server management, and in-memory execution of Beacon Object Files (BOFs).
These capabilities grant the attacker complete control over the compromised endpoint. Although the activity has been attributed to a known threat actor or group, it’s assessed to be China-aligned.
The disclosure comes as Cato Networks said it detected and blocked an attempted intrusion against the Indian branch of an unnamed global manufacturing customer to deliver TencShell, a previously undocumented Go-based implant derived from the open-source rshell C2 framework.
The attack is believed to be the work of China-nexus threat actors based on the historical use of rshell, Tencent-themed API impersonation, and infrastructure patterns. The initial access vector used in the intrusion is currently unknown.
“If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling,” researchers Idan Tarab, Dr. Guy Waizel, Zohar Buber, and Shani Kurtzberg said.
In a report published last week, ESET said China-aligned threat actors have remained “highly active” globally from October 2025 through March 2026. This includes an unreported cluster dubbed SteppeDriver that was first discovered in 2024 and has since targeted entities in France, Mongolia, and South America using tools like ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.
Also identified by the Slovakian cybersecurity vendor is a new toolkit linked to UNC5221 dubbed PhiliKit that acts as a passive backdoor for executing shell commands, Python scripts, and Perl scripts. It’s suspected that PhiliKit is deployed as part of the SPAWN malware suite used by the Chinese hacking group in the past.
A third China-affiliated threat group is NegativeGlimmer, which is believed to share some level of overlap with TGR-STA-1030, which Palo Alto Networks Unit 42 documented earlier this year as having breached at least 70 government and critical infrastructure organizations across 37 countries over the past year.
In at least one instance observed in December 2025, the threat actor has been found to target a governmental organization in Panama, using a DLL side-loading chain initiated via spear-phishing to deliver a downloader that then deploys AdaptixC2 and simultaneously displays a decoy document to the victim.
Subsequent iterations in January 2026 have swapped out AdaptixC2 in favor of Cobalt Strike, with infections also reported in Cambodia and South Korea.
“The latter targeting in South Korea aligns with Beijing’s enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy,” ESET’s Jean-Ian Boutin said.
