Seqrite researchers have published analysis of Operation Dragon Weave, a targeted espionage campaign assessed with moderate confidence to be linked to a China-based threat actor. The campaign has been active since at least January 2026 and targets government officials, research institutions, financial services organisations, and technology sector entities in the Czech Republic and Taiwan. The campaign’s primary objective is data exfiltration and persistent remote access, delivered via a custom C2 agent that uses Microsoft Azure Blob Storage as its command channel — a technique designed to make adversary traffic indistinguishable from routine enterprise cloud activity.
Technical Profile
The initial access vector is spear-phishing: targets receive ZIP-compressed emails containing a malicious Windows Shortcut (LNK) file disguised as a PDF document. Opening the LNK triggers a Rust-based loader that retrieves and executes the final payload in memory, minimising artefacts on disk.
The primary payload — designated AZUREVEIL by Seqrite — is a fully featured AdaptixC2 agent compiled with 36 post-exploitation commands including in-memory execution of Beacon Object Files (BOFs). The defining characteristic of AZUREVEIL is its C2 architecture: both the attacker and the infected host communicate via the same Azure Blob Storage container, with neither side maintaining a direct connection to the other. The malware polls a controlled Azure container for instructions and deposits output to the same location, generating network traffic that is structurally identical to legitimate Microsoft 365 and Azure activity — and thus invisible to perimeter controls that trust cloud provider traffic by default.
More recent iterations of the campaign observed from January 2026 onwards have substituted AdaptixC2 with Cobalt Strike, and have extended targeting to Cambodia and South Korea, suggesting the operation is broadening geographically. The shift to Cobalt Strike may reflect operational flexibility — using commercially available tooling to complicate attribution — while AZUREVEIL remains in active use against primary targets.
Context and Attribution
The targeting pattern — European government and research institutions alongside Taiwan-based financial and technology entities — is consistent with China-affiliated collection priorities. The Czech Republic has been a recurring target of Chinese state-sponsored cyber activity, reflecting Prague’s policy alignment with democratic partners and its role in European defence coordination. Taiwan’s financial and technology sectors are standing priority targets for China-linked actors.
The use of legitimate cloud infrastructure as a C2 layer is a documented evasion technique increasingly adopted across APT groups. Microsoft Azure, Google Cloud, and GitHub have all been abused as C2 channels in separate campaigns. Defenders relying on domain or IP blocklists will not detect this pattern without behavioural analysis of outbound cloud storage access.
Sector Implications
Financial services: Targeted directly. Organisations with operations or partnerships in the Czech Republic or Taiwan should review their spear-phishing exposure and treat LNK-bearing email attachments as high-risk delivery mechanisms.
Government and critical infrastructure: Czech and Taiwanese government entities are primary targets. Broader European government organisations should note that campaign scope has expanded previously and may do so again.
Research and academia: Targeted alongside commercial entities, consistent with Chinese intelligence collection of scientific and strategic research.
Recommended Actions
- Block LNK execution from archive attachments at the email gateway and endpoint policy level — Group Policy can prevent LNK execution from temporary or archive extraction paths
- Audit Azure Blob Storage access patterns from endpoints: legitimate applications connect to known, consistent containers; AZUREVEIL access will appear as connections to unfamiliar container endpoints from unexpected processes
- Enable process-level cloud storage monitoring: identify which processes are initiating Azure Blob API calls, and alert on calls from processes outside the expected application set
- Review spear-phishing training to specifically cover LNK files disguised as documents — a recurring technique that remains highly effective against unaware users
- Check for AdaptixC2 indicators: Seqrite’s report includes YARA rules and IOCs; threat hunting teams should run these against EDR telemetry