thehackernews.com web signal

Operation Dragon Weave Tunnels C2 Through Azure Storage

cybersecurity china ai cybersecurity china-ai

Key insights

  • AZUREVEIL routes all command-and-control through Microsoft Azure Blob Storage, disguising malicious traffic as legitimate enterprise cloud activity.
  • The infection chain uses two pathways, a malicious LNK file and a Rust-based dropper, both converging on DLL side-loading via UnityPlayer.dll.
  • Related implant TencShell, targeting an Indian manufacturing facility, extends China-nexus APT activity beyond the Czech Republic and Taiwan targets.

Why this matters

Security teams that allowlist Microsoft Azure egress traffic as inherently trusted have no native signal that AZUREVEIL's dead-drop C2 is present, meaning standard perimeter and network defenses fail against this technique without behavioral monitoring layered on top. The simultaneous targeting of Czech Republic and Taiwan's government, research, and financial sectors points to active strategic intelligence collection in two geopolitically contested regions, with direct implications for NATO allies and Indo-Pacific partners tracking Chinese espionage priorities. ESET's concurrent documentation of SteppeDriver, UNC5221, and NegativeGlimmer operations across Panama, Cambodia, and South Korea reveals that Chinese APT activity has scaled to simultaneous multi-continent campaigns, stretching defenders across more theaters than most individual organizations can cover.

Summary

Seqrite Labs has uncovered Operation Dragon Weave, a China-linked espionage campaign targeting government, research, and technology sectors in the Czech Republic and Taiwan. Attackers deliver spear-phishing ZIPs along two paths: a malicious Windows Shortcut file disguised as a PDF that triggers a PowerShell chain, and a direct Rust-based dropper binary. Both routes converge on RUSTCLOAK, a Rust-based loader deployed via DLL side-loading of UnityPlayer.dll, ultimately installing AZUREVEIL. Essentially: (Seqrite Labs, ESET) are tracking Chinese APT clusters that hide command-and-control inside Microsoft Azure Blob Storage using a dead-drop technique. - AZUREVEIL is an AdaptixC2 agent supporting 36 commands: shell execution, port forwarding, SOCKS proxy control, and in-memory execution of Beacon Object Files. - All C2 traffic routes through Azure Blob Storage, blending malicious communications into legitimate enterprise cloud activity. - A related Go-based implant, TencShell, targets an Indian manufacturing facility and is separately attributed to China-nexus actors. ESET concurrently documents Chinese groups SteppeDriver, UNC5221, and NegativeGlimmer conducting operations across Panama, Cambodia, and South Korea, placing Dragon Weave within a broader multi-theater Chinese APT expansion.

Potential risks and opportunities

Risks

  • Czech Republic and Taiwanese government and research agencies face ongoing exfiltration risk if AZUREVEIL implants remain undetected inside environments that allowlist Azure Blob Storage traffic.
  • Organizations globally that permit Microsoft Azure egress without behavioral anomaly detection remain exposed to identical dead-drop C2 techniques from copycat actors who replicate this publicly documented method.
  • The Indian manufacturing facility targeted by TencShell faces unquantified intellectual property exposure — no remediation timeline, affected firm name, or stolen data scope has been disclosed.

Opportunities

  • Security vendors with Azure-native behavioral monitoring (Microsoft Defender for Cloud, Vectra AI) can position dead-drop C2 detection as an immediate high-priority product differentiator following this public disclosure.
  • Managed detection and response providers serving Czech Republic, Taiwan, and Indian manufacturing clients can market specialized response playbooks built directly from Operation Dragon Weave's documented TTPs.
  • Threat intelligence firms tracking China-nexus actors gain corroborating datasets by cross-referencing AZUREVEIL indicators with ESET's SteppeDriver, UNC5221, and NegativeGlimmer reporting across Panama, Cambodia, and South Korea.

What we don't know yet

  • Whether Microsoft has been notified about specific Azure Blob Storage endpoints used for AZUREVEIL C2 and whether those endpoints have been taken down or suspended.
  • The full victim scope beyond Czech Republic and Taiwan — no infection count, named organizations, or confirmed data exfiltration volumes were disclosed in the reporting.
  • Whether TencShell relies on the same Azure Blob dead-drop C2 infrastructure as AZUREVEIL or uses entirely separate command-and-control channels.

Originally reported by thehackernews.com

Read the original article →

Original headline: Seqrite Uncovers Operation Dragon Weave: China-Linked APT Tunnels C2 Through Azure Blob Storage to Hit Czech Republic and Taiwan Tech and Government Sectors