Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

Operation Dragon Weave Spins a Web of Espionage Through Microsoft Azure

Amber | Atack
Download Now
TA2026152 — Operation Dragon Weave: AZUREVEIL & RUSTCLOAK | HiveForce Labs

01 — Summary

Operation Dragon Weave — espionage through Microsoft Azure

Threat level: Amber Campaign: Operation Dragon Weave Malware: AZUREVEIL · RUSTCLOAK Platform: Windows Regions: Czech Republic · Taiwan Admiralty: A1
First seen
March 2026
TA number
TA2026152
C2 mechanism
Azure Blob Storage dead-drop
Targeted industries
Government · Research · Technology · Finance
Initial access
Spear-phishing ZIP · LNK or Rust dropper
SAS token validity
March 2026 – March 2027

Operation Dragon Weave is a targeted cyber-espionage campaign aimed at government officials and citizens in the Czech Republic and Taiwan. It begins with a spear-phishing email carrying a ZIP attachment whose contents masquerade as official government correspondence. The archive delivers malware through one of two interchangeable infection paths — a malicious LNK shortcut or a self-contained Rust-based executable dropper — both converging on DLL sideloading of a malicious UnityPlayer.dll.

That DLL is a Rust loader (RUSTCLOAK) which decrypts and executes the final payload, AZUREVEIL — a 64-bit AdaptixC2 agent notable for using Microsoft Azure Blob Storage as a dead-drop command-and-control channel, blending its encrypted traffic with legitimate cloud activity. AZUREVEIL supports 36 post-exploitation commands including in-memory Beacon Object File (BOF) execution. A hardcoded Shared Access Signature (SAS) token valid through March 2027 indicates the infrastructure was built for long-term persistent access.

02 — Attack details

How the attack unfolded

Operation Dragon Weave demonstrates sophisticated tradecraft: dual infection paths, anti-analysis checks, Azure cloud C2 blending, and infrastructure designed to sustain access for a full year.

01
Spear-phishing delivery — government-themed ZIP lure

Operation Dragon Weave targets government officials and citizens in Taiwan and the Czech Republic using spear-phishing emails disguised as legitimate government communications — such as project review notices or appointment notifications. Victims receive a ZIP archive delivering malware through one of two methods: a malicious Windows shortcut (LNK) disguised as a PDF document, or a Rust-based dropper that extracts the required components onto the system. The use of Traditional Chinese filenames and Czech-language decoy documents underscores the campaign's precision targeting. The earliest known sample was uploaded from Taiwan in March 2026.

02
Dual infection chains — VBScript/PowerShell and Rust dropper converge on RUSTCLOAK

In the script-based infection chain, a VBScript launches a hidden PowerShell script that decrypts and reconstructs a malicious executable named RuntimeBroker_update.exe while displaying a decoy document to distract the victim. Both infection methods — the LNK path and the Rust dropper path — ultimately execute RuntimeBroker_update.exe, which uses DLL sideloading to load a malicious library called UnityPlayer.dll, also known as RUSTCLOAK. Before running its payload, RUSTCLOAK performs sandbox and analysis-environment detection checks. A developer oversight also exposed a Rust build path and the username dell2 within the malware binary.

03
RUSTCLOAK → AZUREVEIL — decryption, evasion, and full AdaptixC2 deployment

RUSTCLOAK decrypts and launches its final payload, AZUREVEIL, using multiple encryption and evasion techniques. AZUREVEIL is a fully featured AdaptixC2 agent supporting file operations, command execution, shell access, network tunneling, and in-memory execution of additional tools including Beacon Object Files (BOFs). These 36 post-exploitation capabilities give the attacker flexibility for espionage, lateral movement, and sustained access within compromised environments.

04
Azure Blob Storage C2 — dead-drop channel with hardcoded SAS token

Rather than traditional command-and-control servers, AZUREVEIL uses Microsoft Azure Blob Storage (note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net) as a dead-drop C2 channel. HTTPS traffic blends the malware's communications with legitimate cloud activity. The implant periodically uploads encrypted beacons, retrieves encrypted commands, and returns encrypted results through the same storage container. Researchers identified a hardcoded Shared Access Signature (SAS) token with broad permissions to the Azure storage account, valid from March 2026 through March 2027 — indicating the infrastructure was deliberately designed to support long-term espionage operations and persistent victim network access.

03 — Recommendations

What to do now

Six prioritised response actions for security and operations teams. Action 1 should be deployed immediately across all network egress controls.

1
Block the Azure Blob Storage C2 endpoint

Block and alert on all outbound connections to the identified dead-drop storage account note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net. Treat all listed file hashes as high-priority detections across endpoint and network tooling, and configure SIEM alerts for any connection attempts to this domain.

2
Restrict LNK and script execution

Block execution of unexpected LNK shortcut files and unsigned binaries delivered via email. Constrain wscript.exe and PowerShell so that script-based dropper chains cannot run silently from user-writable directories. Apply WDAC or AppLocker policies to enforce these restrictions.

3
Constrain PowerShell execution-policy bypass

Restrict or closely monitor PowerShell invocations that use execution-policy bypass and hidden-window flags (-ExecutionPolicy Bypass, -WindowStyle Hidden). This pattern is the campaign's primary mechanism for running its decryption stage without user visibility and is the earliest scriptable detection point.

4
Hunt for DLL sideloading of UnityPlayer.dll

Hunt across endpoints for RuntimeBroker_update.exe and BrowserViewUtility.exe loading a UnityPlayer.dll from non-standard, user-writable paths. This DLL sideloading pattern is the convergence point for both the LNK and Rust dropper infection chains and represents a high-confidence detection indicator for RUSTCLOAK.

5
Monitor suspicious file creation in %LOCALAPPDATA% and %TEMP%

Detect creation of campaign-staged artifacts — 1.dat, Com.dat, RuntimeBroker_update.exe, and related components — in %LOCALAPPDATA%\WebViewFixUtility and %TEMP%. Isolate hosts where these patterns appear and treat them as confirmed compromises pending investigation.

6
Strengthen spear-phishing defenses

Reinforce email filtering to block ZIP attachments containing LNK or executable files. Deliver targeted user-awareness training for government, research, technology, and financial-services staff in the affected regions on double-extension lures and fake official-document themes consistent with Operation Dragon Weave's delivery methodology.

04 — Indicators of compromise

IoCs — Operation Dragon Weave / AZUREVEIL / RUSTCLOAK

Block or monitor all indicators below across network controls, endpoint detection, and SIEM pipelines. The Azure domain is defanged.

SHA-256 file hashes
  • 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447
  • 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4
  • 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192
  • 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1
  • 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15
  • 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4
  • 02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e
  • 8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9
  • 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574
  • a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a
  • 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de
  • 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0
Domain — Azure Blob Storage C2
  • note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net

05 — MITRE ATT&CK TTPs

Tactics, techniques & sub-techniques

Full MITRE ATT&CK mapping for Operation Dragon Weave / AZUREVEIL / RUSTCLOAK campaign.

ID Tactic Technique / sub-technique
T1566.001 Initial access Phishing — spearphishing attachment (ZIP with LNK or Rust dropper)
T1204.002 Execution User execution — malicious file
T1059.001 Execution Command and scripting interpreter — PowerShell (hidden decryption stage)
T1059.005 Execution Command and scripting interpreter — Visual Basic (VBScript launcher)
T1574.001 Defense evasion Hijack execution flow — DLL sideloading (UnityPlayer.dll / RUSTCLOAK)
T1027 Defense evasion Obfuscated files or information (multi-layer encrypted payloads)
T1497.001 Defense evasion Virtualization/sandbox evasion — system checks (RUSTCLOAK pre-execution)
T1620 Defense evasion Reflective code loading (in-memory BOF execution via AZUREVEIL)
T1055 Defense evasion Process injection
T1083 Discovery File and directory discovery
T1057 Discovery Process discovery
T1016 Discovery System network configuration discovery
T1082 Discovery System information discovery
T1102.001 C2 Web service — dead drop resolver (Azure Blob Storage)
T1573 C2 Encrypted channel (HTTPS beacon / command / result cycle)
T1090 C2 Proxy
T1105 C2 Ingress tool transfer
T1041 Exfiltration Exfiltration over C2 channel (Azure Blob Storage)

06 — References

Sources

[1] seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
© 2026
Hive Pro.
All rights reserved.
Privacy Policy