Operation Dragon Weave Exposed: Cyber Espionage Campaign Weaponizes Cloud Storage

Security researchers have discovered a highly targeted international cyber espionage offensive hitting public institutions. Specifically, the Seqrite APT Team uncovered this malicious activity while monitoring public threat databases. This dangerous campaign, known as Operation Dragon Weave, targets high-profile victims using deceptive phishing techniques. The threat actors mimic official government records to trick users into running compromised files. Consequently, target organizations in the Czech Republic and Taiwan face immediate data exposure. Perimeter defenders must adapt their threat models to counter this infrastructure approach.

Multi-Path Infection Tactics

To begin with, the campaign initiates when a user downloads a malicious compressed archive. This folder contains a variety of supportive items designed to execute payloads silently. Interestingly, the network setup accommodates two independent execution pathways depending on user actions.

Path A and Path B Variants

In Path A, the victim double-clicks a deceptive shortcut file masquerading as a standard PDF document. This event triggers a hidden script layout to unpack core components from an encrypted data container. Alternatively, Path B relies on a standalone dropper built with the Rust programming language. This component handles all extraction processes internally to eliminate external file dependencies.

Reaching the Sideloading Stage

Ultimately, both pathways converge on a single malicious executable named RuntimeBroker_update.exe. The operating system automatically runs this file in the system background. Subsequently, the program leverages classic DLL sideloading to hijack legitimate system processes. This tactical choice successfully drops an intermediate loader called RUSTCLOAK onto the target device.

RUSTCLOAK Evasion and Decryption Layers

Furthermore, the intermediate loader utilizes severe defensive scripts to protect its core binary logic. Before executing any malicious functions, the software performs exhaustive environment verification checks. Specifically, the program queries the local host system configuration to harvest active machine names. It cross-references these findings against an embedded database containing over 100 sandbox indicators. Consequently, the malware terminates immediately if it detects an automated sandbox network. This clever validation routine keeps the infection hidden from automated endpoint scanners.

The Unpacking Mechanism

In addition, the loader implements a complex triple-layer decryption routine to extract the final payload. The setup combines custom RC4 operations, Base64 decoding, and advanced SM4-CBC algorithms. Once this unpacking phase concludes, the tool allocates memory via standard Windows virtual memory APIs. However, it avoids creating noisy tracking threads to minimize local endpoint alert logs. Instead, the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM.

Weaponizing Cloud Storage via Dead-Drop C2 Channels

The primary payload deployed by this campaign represents a mature development in modern malware architectures. This stealthy utility, known as AZUREVEIL, functions as an advanced Adaptix management agent. Crucially, the operators did not establish a conventional external server to coordinate their intrusions. Instead, Operation Dragon Weave relies entirely on a customized dead-drop C2 channel built inside legitimate cloud platforms. The system uses public storage spaces to pass encrypted commands and exfiltrated files safely.

Blending with Corporate Traffic

This infrastructure selection makes it incredibly difficult for network defenders to block suspicious connections. The traffic looks exactly like regular enterprise web communications traveling to Microsoft servers. According to the Seqrite analysis, “One of the unique aspects of this campaign is its use of Microsoft Azure Blob Storage as a dead-drop C2 channel.” Furthermore, the report notes that “Instead of talking to a normal C2 server, the malware blends its traffic with regular cloud activity, which makes it much harder to notice.”

Comprehensive Post-Exploitation Capabilities

Once the dead-drop channel establishes a connection, the threat actor gains wide-ranging operational authority. Security analysts verified 36 individual command handlers hardcoded inside the central DLL agent. These features allow the attacker to execute filesystem changes, manipulate running processes, and forward ports. For instance, operators can pull down secondary files or exfiltrate sensitive local documents seamlessly. Moreover, the agent contains a specialized Beacon Object File (BOF) parsing engine. This engine runs compiled C scripts inside the local host memory without touching physical disks.

Attribution and Defense Protocols

Ultimately, structural evidence connects these attacks to sophisticated threat groups operating out of East Asia. The technical artifacts, filename languages, and targeted victimology support a China-linked origin profile. To secure networks, administrators must block all data packets moving toward the rogue container address. Additionally, monitoring unusual Windows fiber transitions will help reveal active memory injection attempts. Organizations should enforce strict multi-layered visibility across cloud endpoints to stop these advanced intrusions early.