Skip to main content
Emerging ThreatsMalware & Ransomware

China-Aligned Hackers Target Czech Republic, Taiwan in Cyber Espionage Push

Government building with subtle cyber activity hints in bright daylight.

"The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide," Seqrite Labs said.

That observation sits at the center of a cross‑regional surge in activity attributed to China‑aligned threat actors. Security vendors report a newly tracked campaign, Operation Dragon Weave, aimed at officials and citizens in the Czech Republic and Taiwan that ultimately delivers an AdaptixC2 agent; investigators link a parallel cluster of intrusions and tooling to the same actor set or related groups operating with similar tradecraft.

Operation Dragon Weave: targets, lures, and the infection chain

Seqrite Labs says Dragon Weave is tailored toward government, research, academic, technology, and financial services targets. The initial vector is spear‑phishing: ZIP attachments that, when opened, reveal multiple files that "appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background," security researcher Priya Patel said.

The chain offers two distinct pathways to the same end. In one, a malicious Windows Shortcut (LNK) file masquerading as a PDF triggers a PowerShell script that extracts an executable ("RuntimeBroker_update.exe") from an intermediate DAT file and runs it. In the alternate path, victims launch a binary contained in the archive; that binary is a Rust‑based dropper that launches the same "RuntimeBroker_update.exe."

Both routes rely on DLL side‑loading: the executable loads a malicious "UnityPlayer.dll," which then permits deployment of a Rust‑based loader called RUSTCLOAK. Seqrite Labs reports the loader performs anti‑analysis checks and proceeds only if it does not detect a sandboxed environment.

AZUREVEIL: AdaptixC2 and a dead‑drop on Azure Blob Storage

The final payload deployed by RUSTCLOAK is an AdaptixC2 agent codenamed AZUREVEIL — a name the researchers say reflects its use of Microsoft Azure Blob Storage for command‑and‑control. Rather than a traditional pull model, AZUREVEIL "follows a dead drop approach. The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data," Seqrite Labs said.

AZUREVEIL exposes a broad feature set: Seqrite Labs documents 36 commands that enable file operations, uploads and downloads, shell command execution, process enumeration and termination, port forwarding, SOCKS proxy control, management of C2 server configuration, and in‑memory execution of Beacon Object Files (BOFs). The combination of a cloud dead‑drop and in‑memory execution capabilities gives operators extensive remote control while blending C2 traffic with legitimate cloud service usage.

Parallel activity: TencShell, SteppeDriver, PhiliKit, and NegativeGlimmer

Cato Networks reported an attempted intrusion against the Indian branch of an unnamed global manufacturing customer intended to deliver TencShell, a previously undocumented Go‑based implant derived from the open‑source rshell C2 framework. The intrusion is believed to be the work of "China‑nexus" actors based on rshell history, Tencent‑themed API impersonation, and infrastructure patterns; the initial access vector remains currently unknown.

"If successful, TencShell could have given the attacker remote command execution, in‑memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling," researchers Idan Tarab, Dr. Guy Waizel, Zohar Buber, and Shani Kurtzberg said.

Vendor reporting over the past six months shows multiple China‑aligned clusters active across regions. ESET said China‑aligned threat actors remained "highly active" globally from October 2025 through March 2026 and described an unreported cluster dubbed SteppeDriver with activity in France, Mongolia, and South America using tools such as ShadowPad, COOLCLIENT, CurlyDoor, RudeGull, and MKTDownloader.

Also identified by the Slovakian cybersecurity vendor is a toolkit linked to UNC5221 dubbed PhiliKit, a passive backdoor that can execute shell commands, Python scripts, and Perl scripts and is suspected to be part of the SPAWN malware suite. A third China‑affiliated group called NegativeGlimmer is reported to share overlap with TGR‑STA‑1030; Palo Alto Networks Unit 42 documented TGR‑STA‑1030 earlier this year as having breached at least 70 government and critical infrastructure organizations across 37 countries.

ESET also notes a December 2025 instance in which a threat actor used a DLL side‑loading chain via spear‑phishing to deliver a downloader that deployed AdaptixC2 while showing a decoy document to the victim. In January 2026, some iterations replaced AdaptixC2 with Cobalt Strike, with infections reported in Cambodia and South Korea. "The latter targeting in South Korea aligns with Beijing's enduring interest in strategic technologies prioritized under the Made in China 2025 industrial development policy," ESET's Jean‑Ian Boutin said.

What this means for the Czech Republic, Taiwan, and global enterprises

  • Czech Republic and Taiwan: Both are named targets of Operation Dragon Weave; public‑sector and academic actors in those countries should expect spear‑phishing campaigns that include ZIP attachments, LNK‑as‑PDF lures, and artifacts such as RuntimeBroker_update.exe and UnityPlayer.dll tied to DLL side‑loading.
  • Global enterprises and manufacturers: The attempted delivery of TencShell to an Indian branch of a global manufacturer demonstrates how tooling derived from open‑source C2 frameworks can be retooled into stealthy implants; organizations with multinational footprints should coordinate telemetry sharing when suspected intrusions appear.
  • Security teams and defenders: The use of Azure Blob Storage as a dead‑drop C2 and in‑memory BOF execution complicates detection because C2 traffic may blend with legitimate cloud storage access and traditional endpoint prevention may be evaded by loaders that perform sandbox checks.

Conclusion

Taken together, the incidents documented by Seqrite Labs, Cato Networks, and ESET depict a pattern: China‑aligned actors employing modular toolsets, cloud dead‑drop C2 methods, and tried‑and‑tested social engineering to target governments, research institutions, and enterprises across multiple regions. The specific artifacts — RuntimeBroker_update.exe, UnityPlayer.dll, RUSTCLOAK, AZUREVEIL, and newly observed implants such as TencShell — give defenders concrete indicators to track even as operators adapt and reuse public cloud infrastructure to mask their command channels.

Read the original report: https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html