Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2

On 2026-06-01 Switzerland's National Cyber Security Centre published a pre-event advisory warning that the G7 summit in Évian (France, 15–17 June) is a high-value target and that it "expects disruptive maneuvers in cyberspace again" (NCSC Switzerland, 2026-06-01). Although the summit sits on French soil, most delegations transit Geneva Airport and lodge on the Swiss side (Geneva, Vaud, Valais), putting Swiss federal and cantonal administrations, conference-linked suppliers, and Swiss telecom operators in the blast radius. An independently published threat map for the event frames the expected activity against the template of the 2024 Bürgenstock summit, when the pro-Russia hacktivist collective NoName057(16) ran DDoS waves against Swiss federal sites and conference-linked organisations on each summit day; the same map additionally flags state intelligence collection against hotel and telecom infrastructure, rogue-base-station cellular interception, and social-engineering against event staff as plausible vectors (ZENDATA Cybersecurity, 2026-05-03). The NCSC advisory itself recommends generic protective measures and DDoS preparedness for organisations linked to the event.

Why it matters to us: Organisations operating in the Geneva–Vaud corridor and Swiss federal/cantonal SOCs should pre-stage DDoS mitigation playbooks now, review MFA on customer-facing identity providers, rotate administrative credentials before the event window, and brief travelling staff on mobile-device physical security; hunt for anomalous authentication spikes from the summit region and unexpected reattachment events in MDM/MDM-adjacent telemetry around 15–17 June.

Seqrite Labs documented Operation XENOFISCAL, a SideCopy (Transparent Tribe / APT36, Pakistan-attributed) campaign against finance officials across Afghanistan's 34 provincial treasury directorates (Mustoufiats) (Seqrite Labs, 2026-05-29). The chain is the group's long-standing signature — a spear-phishing ZIP carrying a Pashto-language LNK that invokes mshta.exe to pull an obfuscated HTA/JavaScript stage from a compromised education domain, which stages .NET loaders in memory before dropping the publicly available XenoRAT (keylogging, screen capture, remote shell) (The Hacker News, 2026-06-02). Persistence uses a Registry Run key typosquatting Microsoft Edge ("Edgre") plus a Scheduled Task; C2 ran on an EU-hosted bulletproof AS (AS59711) previously tied to the group. ATT&CK: T1566.001, T1218.005 (mshta proxy execution), T1547.001, T1053.005.

Why it matters to us: The victimology is South-Central Asian, but the LNK→mshta.exe→HTA→RAT pattern and the typosquatted-product Run-key persistence are directly transferable hunt content for any public-sector treasury/finance environment: alert on mshta.exe spawning wscript.exe or making outbound HTTP, and on Run-key values that misspell legitimate Microsoft product names.

France's CNIL fined IQVIA Operations France €5 million on 26 May 2026 for systematic GDPR violations across two authorised health data warehouses, LRX (fed by ~14,000 pharmacies) and EMR (fed by thousands of GPs) (CNIL, 2026-05-28). The CNIL enumerated five control failures: (1) IQVIA operated the warehouses outside the scope of its CNIL authorizations — deliberations 2018-289 and 2021-015 approved specific study types, and IQVIA conducted studies beyond those terms (Art. 66 of the French Data Protection Act); (2) patients were not informed that IQVIA acted as a data controller for their prescription data, violating GDPR Art. 14 information obligations; (3) multi-factor authentication was absent from all warehouse access paths; (4) no automated connection-log monitoring or alerting was in place — IQVIA confirmed retrospective deployment only after the CNIL investigation commenced; (5) no network segmentation between the health data warehouse and other IQVIA corporate infrastructure. The fine magnitude reflects the scope — "several tens of millions" of individuals — and IQVIA's market position. A compliance order with a €10,000/day penalty period accompanies the fine. For defenders this ruling operationalises baseline controls now explicitly expected for health data warehouse operations: MFA on all warehouse access paths, automated log alerting, network segmentation between sensitive-data stores and corporate infrastructure, and strict compliance with CNIL authorization scope for each study type conducted.

Unit 42 documents (2026-05-22) systematic nation-state operationalisation of ROADtools — the open-source Python Entra ID attack/defence framework hosted at github.com/dirkjanm/ROADtools — by three named clusters: Cloaked Ursa / Midnight Blizzard / APT29 / NOBELIUM (Russia), Curious Serpens / Peach Sandstorm / APT33 (Iran) and UTA0355 (Russian state-affiliated) (Unit 42, 2026-05-22). The chain begins with credential compromise (password spray or OAuth device-code phishing — see § 1 Kali365), then uses roadtx to register attacker-controlled devices in the victim's Entra ID tenant, establishing persistence via a Primary Refresh Token bound to a registered device. The roadrecon module performs systematic directory enumeration via legacy Azure AD Graph API calls — now also ported to the msgraph branch — targeting users, groups, service principals, application permissions and OAuth token grants.

MITRE ATT&CK techniques mapped explicitly by Unit 42: T1098.005 (Account Manipulation: Device Registration), T1550 (Use Alternate Authentication Material), and T1087 (Account Discovery via Microsoft Graph API). The device-PRT-binding step functionally bypasses tenant MFA — the brief leaves the explicit T1556.006 framing off since Unit 42 does not map it that way; defenders running custom ATT&CK overlays may want to add it themselves. Volexity's April 2025 OAuth device-code paper is the historical background for the device-code half of the chain. Detection vantage: monitor Entra ID audit logs for Add device events from unfamiliar device names or from IPs not in expected employee geographies; alert on sign-in logs carrying the roadtx user-agent string or unexpected https://login.microsoftonline.com/common/oauth2/token device-code grant flows; review Microsoft Graph Activity Logs for bulk GET /users, GET /groups and GET /servicePrincipals calls clustered by time. Hardening: enforce Conditional Access token-protection (token binding renders stolen tokens non-transferable across devices); restrict device registration to compliant or hybrid-joined devices only; enforce Privileged Access Workstation policy for admin token issuance; block Azure AD Graph via blockLegacyAuthentication. Midnight Blizzard has a documented pattern of targeting EU diplomatic corps and government Microsoft 365 tenants, so the relevance to Swiss federal and EU institution Entra estates is direct.

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

UPDATE (originally covered 2026-W21): West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion (SEC EDGAR 8-K/A, 2026-05-20). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.

Microsoft assigned CVE-2026-42822 (CVSS 3.1 = 10.0, CWE-287 Improper Authentication, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO) — Microsoft's solution for running Azure services in air-gapped or partially-disconnected infrastructure environments — that allows an unauthorised network attacker to elevate privileges over a network with no credentials and no prior foothold (Microsoft MSRC, 2026-05-18). MSRC rates "Exploitation More Likely"; no in-the-wild exploitation observed and no public PoC at advisory release. Cloud-managed Azure customers using Microsoft-operated Resource Manager environments are already protected — only manually-operated air-gapped Azure Local stacks need action. Remediation requires upgrading ALDO to version 2604 or later via the standard ALDO update channel. Defender takeaway: EU public-sector operators running Azure Local for data-sovereignty / federal data-residency compliance (a common pattern in Bundesverwaltung and German Bundesbehörden environments) should treat this as a Patch-Tuesday-class emergency on disconnected infrastructure where update cadence is typically slower than cloud-managed Azure. Restrict the ALDO management plane to admin-only OOB subnets until v2604 is installed.

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

Microsoft assigned CVE-2026-42822 (CVSS 10.0, CWE-287 Improper Authentication, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO), rated "Exploitation More Likely." ALDO is the air-gapped/sovereign-cloud deployment mode that public-sector and regulated operators specifically choose for data-residency reasons — so this CVSS-10 bug lands squarely on the deployments most likely to hold sensitive workloads. No confirmed exploitation; treat as a high-priority patch given the "More Likely" rating and the sovereign-deployment exposure.

West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing facilities, with the data investigation still ongoing. Closing the loop on the W20 disclosure: the manufacturing-line continuity risk this audience was tracking has resolved; the residual is the data-scope determination.

Unit 42 documented systematic nation-state operationalisation of the open-source ROADtools Entra ID framework by Midnight Blizzard, Curious Serpens and UTA0355 for device registration, token theft and tenant enumeration (daily 2026-05-23). This is the most broadly relevant item in the section — every M365/Entra tenant is in scope. Hunt for unexpected device-registration events, anomalous service-principal token requests, and ROADtools-characteristic enumeration patterns; tighten conditional-access on device-registration and review legacy-auth exposure.

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.

Following the 2026-05-04 Rocket backend DB leak (attributed to a breach of hosting provider 4VPS), administrator zeta88 / hastalamuerte announced a full communications-infrastructure overhaul — new NAS deployment and new locker upgrades — signalling no intent to cease operations. The operation maintained ~332 victims in H1 2026, ranking second in global RaaS activity per Check Point Research. Check Point documented initial access via CVE-2024-55591 (FortiOS management interface auth bypass, ITW since November 2024) and CVE-2025-32433 (Erlang SSH in Cisco context); post-access chain includes RelayKing-based NTLM relay (CVE-2025-33073), AD enumeration, EDR disablement, and GPO-deployed locker (Check Point Research; Check Point blog; daily 2026-05-14 UPDATE).

Bedrock Safeguard (Canadian security firm) published a working decryptor on 2026-05-14 exploiting Go's failure to zero XChaCha20 / X25519 ephemeral private-key material from goroutine stacks post-use; 35/35 files decrypted in testing. The operator claims to have patched the binary, so the decryptor capability is best-case retrospective; affiliates show no evidence of forking, and the core nine-person structure remains intact per leaked chats (Bedrock Safeguard decryptor). Defender takeaway: for any Gentlemen-impacted Go-binary host, attempt process-memory dump capture for ephemeral key recovery before reimaging; verify FortiOS patch state on CVE-2024-55591 across every Swiss / EU public-sector Fortinet deployment (the FortiOS bug is the documented initial-access primary, and the W19 long-running record already lists this CVE).

West Pharmaceutical Services Inc. (NYSE: WST), a US-headquartered global manufacturer of drug-delivery and packaging components, filed a Form 8-K on 2026-05-11 disclosing a material cybersecurity incident under Item 1.05 (SEC EDGAR — WST 8-K, 2026-05-11). The filing states that detection occurred on May 4 2026, materiality was determined May 7, and that "certain data was exfiltrated by an unauthorized party and certain systems were encrypted" — terminology consistent with a T1486 Data Encrypted for Impact plus T1041 Exfiltration Over C2 Channel double-extortion ransomware pattern. The company took global systems offline, activated incident response, notified law enforcement and engaged external forensics; core enterprise systems are restored, shipping/receiving/manufacturing are partially restarted at some facilities, and full restoration timeline and material financial impact remain undetermined. No threat actor has claimed responsibility publicly at time of filing.

Defender takeaway: A double-extortion event against an OT-adjacent pharmaceutical packaging manufacturer is a high-supply-chain-risk template — West Pharma's elastomeric closures, vials and drug-delivery devices feed European biopharma packaging lines including those of national-formulary suppliers. EU public-sector procurement teams handling pharmaceutical resilience plans should validate continuity-of-supply with downstream vendors that source closures or delivery devices from West. Detection pivot for analogous targets: large-volume SMB enumeration, VSSAdmin / WBEM shadow-copy deletion (T1490 Inhibit System Recovery), and abnormal DLP egress volume in the days preceding encryption — the encryption event is rarely the first indicator if logs are retained.

For any NIS2 / KRITIS-DachG / CER essential-entity SOC: measure SIEM / XDR coverage by hostname inventory rather than by sensor-licence count. The South Staffordshire 5% finding is what the ICO judged as inadequate for a water OES; with NIS2 transposition in force across the EU and KRITIS-DachG live in Germany, regulators are now armed with a concrete UK precedent for what "proportionate technical measures" failure looks like in court. Practical first step: pull a list of every Active Directory–joined host from AD; cross-reference against the EDR / SIEM source list; flag the delta. The delta is what the ICO would call the gap.

W1 horizon research identified an in-window operator gap the daily briefs missed. "The Gentlemen" emerged in August 2025 and per ZeroFox surged to the second- or third-most-active ransomware operation globally in Q1 2026 — 192 attacks that quarter, a approximately 448% QoQ increase, 32% of Q1 2026 victims in Europe (up from 2% in Q4 2025) (ZeroFox Q1 2026 Wrap-Up, 2026-04-17). Check Point Research's DFIR report on the operator confirms the post-compromise tradecraft observed during a single incident-response engagement: Cobalt Strike delivered via RPC from a Domain Controller; Mimikatz for credential harvesting; GPO abuse to inject a scheduled task into Group Policy that propagates the encryptor to all domain-joined systems near-simultaneously (compressing time-to-encryption to minimise IR response window); SystemBC SOCKS5 C2 tunnelling and covert payload staging; encryption using X25519 Diffie–Hellman key exchange per file combined with XChaCha20 stream cipher, per-file ephemeral key pair with a random 32-byte private key (Check Point Research DFIR Report, 2026-04-20 · BleepingComputer — The Gentlemen + SystemBC, 2026-04-20). CPR explicitly states the precise initial-access vector could not be conclusively determined for the engagement it analysed; broader reporting attributes initial access to a FortiOS / FortiProxy attack surface that includes CVE-2024-55591 (authentication bypass, CVSS 9.8 — patched January 2025), with secondary reporting describing an operator database of pre-exploited devices and brute-forced VPN credentials primed for deployment — defenders should treat patch-state-alone as insufficient if the device was unpatched against CVE-2024-55591 at any point during the exposure window.

European victims surfaced in BleepingComputer's SystemBC coverage and in quarterly leak-site aggregation include Oltenia Energy Complex (Romania — described as a significant portion of national electricity supply, December 2025) and The Adaptavist Group; Comparitech's Q1 2026 healthcare roundup attributes 10 healthcare-sector claims to the operator in the quarter; the operator's leak-site footprint and the absence of an "off-limits" sector convention make hospitals, water utilities, and similar critical-infrastructure targets in-scope. The cross-finding with this week's other concerns: GPO-injected scheduled-task propagation defeats backup-isolation defences if the AD environment is in the encryption path; if the operator's initial-access funnel includes unpatched FortiGate devices, that surface intersects directly with the Polish water-OT NIS2 coverage-gap framing (§ 4, § 6) since small municipal CI operators are over-represented in the unpatched-FortiGate population. Defender priorities for 2026-W20: hunt scheduled tasks in SYSVOL pointing to UNC paths or temp directories; profile SystemBC SOCKS5 beacons; add XChaCha20 file-header pattern detection at backup / DLP tier; re-verify FortiGate patch state against CVE-2024-55591 and any later FortiOS / FortiProxy auth-bypass advisories.

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.