Operation Dragon Weave Uses Azure Cloud C2 to Target Czech Republic and Taiwan

SOC Prime Team

Operation Dragon Weave Uses Azure Cloud C2 to Target Czech Republic and Taiwan

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A targeted espionage operation tracked as Operation Dragon Weave uses malicious LNK shortcut files together with a Rust-based executable to launch a multi-stage loader that eventually deploys the Adaptix AZUREVEIL command-and-control agent. The operators abuse Microsoft Azure Blob Storage as a dead-drop mechanism for C2 communications. The campaign is focused on government personnel and researchers in the Czech Republic and Taiwan.

Investigation

The investigation followed the full infection chain from the initial ZIP archive through VBScript execution, PowerShell-based decryption, DLL sideloading, and a custom Rust loader that used RC4, Base64, and SM4 to decrypt the final payload. The last-stage malware, AZUREVEIL, was identified as a 64-bit Adaptix DLL that communicates only through Azure Blob Storage and supports in-memory Beacon Object File execution.

Mitigation

Defenders should block execution of unexpected LNK files and unsigned binaries, enforce strict controls over script and macro execution, and monitor for unusual Azure Blob Storage traffic. PowerShell usage with execution-policy bypass should be restricted or closely watched, and security teams should detect suspicious file creation in %LOCALAPPDATA% and %TEMP%. Strong credential hygiene for Azure accounts and regular rotation of SAS tokens are also recommended.

Response

Security teams should detect and isolate affected hosts, collect volatile memory to recover any in-memory payloads, block the identified Azure storage domain, and hunt for the reported file artifacts and process patterns. A full forensic investigation should also be performed to identify any additional dropped components and remove persistence mechanisms.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#ddffdd classDef process fill:#ffeb99 classDef operator fill:#ff9900 %% Nodes attack_phishing["Action – T1566.001 Spearphishing Attachment The adversary emails a malicious ZIP archive to victims."] class attack_phishing action file_zip["File – malicious.zip Contains a .lnk shortcut and a Rust compiled .exe dropper."] class file_zip file action_user_exec["Action – T1204.001 User Execution Victim opens the .lnk or runs the .exe, starting the dropper chain."] class action_user_exec action file_lnk["File – payload.pdf.lnk Shortcut uses double extension and Edge icon to appear benign."] class file_lnk file tool_wscript["Tool – wscript.exe Executes the VBScript payload."] class tool_wscript tool file_vbs["File – empty.vbs Minimal VBScript that launches PowerShell."] class file_vbs file action_vbscript["Action – T1059.005 Visual Basic VBScript runs via wscript to start PowerShell."] class action_vbscript action action_powershell["Action – T1059.001 PowerShell Profile.ps1 runs with executionu2011policy bypass and decrypts the next stage."] class action_powershell action file_dat["File – 1.dat XORu2011encrypted container that holds RuntimeBroker_update.exe."] class file_dat file process_runtime["Process – RuntimeBroker_update.exe Decrypted from 1.dat; loads malicious UnityPlayer.dll via DLL sideu2011loading."] class process_runtime process file_dll["File – UnityPlayer.dll Malicious DLL placed alongside RuntimeBroker_update.exe."] class file_dll file action_dll_sideload["Action – T1546.009 AppCert DLL DLL sideu2011loading provides code execution."] class action_dll_sideload action tool_rustloader["Tool – Rust loader (RUSTCLOAK) Allocates memory, writes decrypted AZUREVEIL PE, executes via Windows fibers."] class tool_rustloader tool action_process_injection["Action – T1055.002 Process Injection PE injection using Windows fibers."] class action_process_injection action file_azureveil["File – AZUREVEIL.exe Decrypted payload executed after injection."] class file_azureveil file action_discovery["Action – T1083 File and Directory Discovery Loader enumerates files and moves them to %TEMP%."] class action_discovery action action_network_discovery["Action – T1016 System Network Configuration Discovery Collects MAC and IP information for proxy and lateral movement."] class action_network_discovery action action_c2["Action – T1102 Web Service Communicates with Azure Blob Storage over HTTPS."] class action_c2 action action_dead_drop["Action – T1102.003 Oneu2011Way Communication Uploads beacon blob and retrieves commands from the same container."] class action_dead_drop action action_encrypted_channel["Action – T1573.001 Encrypted Channel Beacon and command data encrypted with custom RC4 and SM4u2011CBC."] class action_encrypted_channel action action_exfil["Action – T1567.002 Exfiltration Over Web Service Uploads encrypted data to Azure Blob endpoint."] class action_exfil action action_persistence["Action – T1547.009 Shortcut Modification Places malicious .lnk in startup locations for persistence."] class action_persistence action %% Edges attack_phishing –>|delivers| file_zip file_zip –>|triggers| action_user_exec action_user_exec –>|opens| file_lnk file_lnk –>|executes| tool_wscript tool_wscript –>|runs| file_vbs file_vbs –>|launches| action_vbscript action_vbscript –>|starts| action_powershell action_powershell –>|decrypts| file_dat file_dat –>|produces| process_runtime process_runtime –>|loads| file_dll file_dll –>|used by| action_dll_sideload process_runtime –>|performs| action_process_injection action_process_injection –>|uses| tool_rustloader tool_rustloader –>|loads| file_azureveil file_azureveil –>|performs| action_discovery action_discovery –>|also does| action_network_discovery action_network_discovery –>|sends data to| action_c2 action_c2 –>|uses| action_dead_drop action_dead_drop –>|relies on| action_encrypted_channel action_encrypted_channel –>|enables| action_exfil action_exfil –>|may trigger| action_persistence file_lnk –>|establishes| action_persistence %% Class Assignments class attack_phishing action class file_zip file class action_user_exec action class file_lnk file class tool_wscript tool class file_vbs file class action_vbscript action class action_powershell action class file_dat file class process_runtime process class file_dll file class action_dll_sideload action class tool_rustloader tool class action_process_injection action class file_azureveil file class action_discovery action class action_network_discovery action class action_c2 action class action_dead_drop action class action_encrypted_channel action class action_exfil action class action_persistence action "

Attack Flow

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Attack Narrative & Commands

Delivery: The attacker sends a phishing email with an attachment named 計畫申請審查結果通知單.pdf.lnk. The double extension hides the shortcut nature. The LNK points to C:Tempevil.vbs.
Execution (VBScript): When the victim double‑clicks the LNK, wscript.exe launches evil.vbs. The script drops RuntimeBroker_update.exe to %APPDATA%MicrosoftWindowsStart MenuProgramsRuntimeBroker_update.exe and copies a malicious UnityPlayer.dll (containing the Rust‑based loader) into the same directory.
DLL Sideloading: The attacker runs RuntimeBroker_update.exe. Because the executable is signed (or mimics a legitimate binary), Windows loads the neighboring UnityPlayer.dll, which executes the embedded Rust payload (RUSTCLOAK) and establishes a C2 channel to Azure.
Post‑execution: The payload performs system discovery (T1016, T1082) and begins exfiltration (T1041) over an encrypted channel (T1573).

Regression Test Script

<# 
  Simulation script for the Malicious LNK + DLL sideloading detection.
  Prerequisites:
  - Sysmon with ProcessCreate (ID 1) and ImageLoad (ID 7) enabled.
  - Write permission to $env:APPDATAMicrosoftWindowsStart MenuPrograms
#>

# 1. Prepare malicious VBScript
$vbPath = "$env:TEMPevil.vbs"
@'
Set objShell = CreateObject("WScript.Shell")
'objShell.Run """$env:APPDATAMicrosoftWindowsStart MenuProgramsRuntimeBroker_update.exe""", 0, False
'@ | Set-Content -Path $vbPath -Encoding Unicode

# 2. Deploy a fake UnityPlayer.dll (binary placeholder)
$dllPath = "$env:APPDATAMicrosoftWindowsStart MenuProgramsUnityPlayer.dll"
# For demo, just copy any existing DLL (e.g., version.dll) and rename it
Copy-Item "$env:SystemRootSystem32version.dll" $dllPath -Force

# 3. Deploy the helper executable (a copy of a legit binary for realism)
$exePath = "$env:APPDATAMicrosoftWindowsStart MenuProgramsRuntimeBroker_update.exe"
Copy-Item "$env:SystemRootSystem32RuntimeBroker.exe" $exePath -Force

# 4. Create the malicious LNK with double extension
$lnkPath = "$env:USERPROFILEDesktop計畫申請審查結果通知單.pdf.lnk"
$ws = New-Object -ComObject WScript.Shell
$shortcut = $ws.CreateShortcut($lnkPath)
$shortcut.TargetPath = "$env:SystemRootSystem32wscript.exe"
$shortcut.Arguments = "`"$vbPath`""
$shortcut.Save()

Write-Host "Malicious LNK created at $lnkPath"
Write-Host "Executing the LNK to trigger the chain..."
Start-Process -FilePath $lnkPath -Wait

Cleanup Commands

# Remove artifacts
Remove-Item "$env:TEMPevil.vbs" -Force -ErrorAction SilentlyContinue
Remove-Item "$env:APPDATAMicrosoftWindowsStart MenuProgramsUnityPlayer.dll" -Force -ErrorAction SilentlyContinue
Remove-Item "$env:APPDATAMicrosoftWindowsStart MenuProgramsRuntimeBroker_update.exe" -Force -ErrorAction SilentlyContinue
Remove-Item "$env:USERPROFILEDesktop計畫申請審查結果通知單.pdf.lnk" -Force -ErrorAction SilentlyContinue
Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free