A new cyber espionage campaign, dubbed “Operation Dragon Weave” by Seqrite Labs, is targeting government officials and citizens in the Czech Republic and Taiwan.
The campaign mainly targets organizations in government, research, education, technology, and financial services. Attackers send spear-phishing emails containing ZIP file attachments. When opened, the files start an infection process that installs malware on the victim's computer.
The attack uses fake files that appear legitimate. In one attack, victims open a shortcut file disguised as a PDF document, which runs a PowerShell script and installs malicious software. In another method, victims directly launch a malicious program contained in the ZIP archive.
Both attack chains eventually install a Rust-based malware loader known as RUSTCLOAK, which then deploys a remote access tool called AZUREVEIL. The malware uses Microsoft Azure Blob Storage as its command-and-control system, allowing attackers to communicate with infected devices while blending in with normal internet traffic.
Researchers said AZUREVEIL supports 36 different commands, enabling attackers to steal files, execute commands, manage processes, and maintain full control of compromised systems.
While the campaign has not been officially linked to a specific threat group, researchers believe it is likely connected to a China-aligned espionage operation.