ctipilot.ch

Operation Dragon Weave

campaign · campaign:operation-dragon-weave

Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2

Coverage timeline
1
first 2026-06-02 → last 2026-06-02
Peak priority
high
1 high
Sources cited
7
3 hosts
Sections touched
1
deep-dive
Co-occurring entities
1
see Related entities below
ATT&CK techniques
10
pinned v19.1 · see below

ATT&CK techniques

10 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1566Phishing×1

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1566.001Phishing: Spearphishing Attachment×1

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×1

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1574Hijack Execution Flow×1

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL×1

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

Stealth TA0005

T1574Hijack Execution Flow×1

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL×1

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1102Web Service×1

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1102.001Web Service: Dead Drop Resolver×1

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

Story timeline

  1. 2026-06-02Operation Dragon Weave: China-nexus espionage against Czech government with Azure Blob Storage dead-drop C2
    deep-dive

Where this entity is cited

  • deep-dive1

Source distribution

  • attack.mitre.org5 (71%)
  • seqrite.com1 (14%)
  • thehackernews.com1 (14%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Operation Dragon Weave (1)

2026-06-02 · view entry permalink →

HIGH

Operation Dragon Weave: China-nexus espionage against Czech government with Azure Blob Storage dead-drop C2

Seqrite Labs disclosed Operation Dragon Weave on 1 June 2026: a China-linked espionage campaign delivering spearphishing ZIP attachments to government, research, academic, technology and financial-services organisations in the Czech Republic and Taiwan (Seqrite Labs, 2026-06-01 · The Hacker News, 2026-06-01). A January 2026 iteration of the same activity used Cobalt Strike and additionally hit Cambodia and South Korea; the June reporting documents an evolved toolset and is the reason a Czech-government-targeting campaign warrants a Swiss/EU public-sector deep dive — the targeting set (a Central-European EU member's ministries and universities) is directly representative of the threat surface a Swiss federal SOC defends.

Infection chains. Two variants were observed, both arriving as ZIP attachments (T1566.001 Spearphishing Attachment). The first executes a malicious LNK disguised as a PDF, which launches PowerShell (T1059.001 PowerShell) to stage the next component; the second drops and runs a binary directly. In both cases a Rust-based dropper that Seqrite names RUSTCLOAK performs DLL side-loading (T1574.002 DLL Side-Loading) against a legitimate signed executable to load a malicious library, which deploys the final payload, AZUREVEIL.

AZUREVEIL and the dead-drop C2. AZUREVEIL is an agent built on AdaptixC2 — an open-source command-and-control framework increasingly adopted by both red teams and intrusion sets — compiled with 36 post-exploitation commands spanning file operations, shell execution, process management and beacon-object-file (BOF) injection. Its distinguishing feature is the C2 channel: operator commands are routed through Microsoft Azure Blob Storage as a dead-drop resolver (T1102.001 Dead Drop Resolver), with the agent polling and posting to blob endpoints over ordinary HTTPS (T1071.001 Web Protocols). Because traffic terminates at *.blob.core.windows.net, it blends with the legitimate Azure usage of almost any modern enterprise and is allowlisted by most egress proxies — the same "abuse a trusted cloud service for C2" pattern seen this run in the WordPress/Steam campaign (§3) and recurring across recent intrusion sets.

Attribution. Seqrite attributes the activity to a China-based cluster at moderate confidence and names no specific group. The Hacker News's broader China-nexus roundup covers SteppeDriver and UNC5221 as separate actor clusters reported in the same window — these are distinct from Dragon Weave, and neither Seqrite nor The Hacker News connects Dragon Weave to either cluster (The Hacker News, 2026-06-01). Treat the China nexus as the researcher's assessment rather than settled fact, and do not infer a group identity the sources do not assert.

Detection concepts (no IOCs). Hunt for: PowerShell spawned from non-standard parent processes immediately after archive extraction; LNK files masquerading as PDFs in mail-derived paths; signed-binary executions that side-load an unexpected DLL from a writable user-profile directory (Sysmon EID 7 image-load anomalies against a known-good binary); and — the highest-value network concept — outbound HTTPS to blob.core.windows.net from host processes with no legitimate Azure-SDK reason to talk to Blob Storage (browsers, Office, line-of-business apps that are not Azure-native). Baseline which of your hosts legitimately reach Azure Blob Storage and alert on the long tail.

Hardening. Enforce attachment policies that strip or detonate LNK-in-ZIP payloads at the mail gateway; apply WDAC/AppLocker rules that block user-writable-directory DLL side-loading against your signed-application inventory; and, where your environment does not legitimately use Azure Blob Storage, consider egress controls or monitoring that treat *.blob.core.windows.net as a named-service destination rather than blanket-allowlisting the Azure namespace. For estates that do use Azure, scope the allowlist to your own storage-account hostnames rather than the entire blob.core.windows.net wildcard.

threat02 Jun 05:00Zmulti-sourceOpen finding ↗