China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan

Source Domain: thehackernews.com

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent.

According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments to trigger an infection chain that uses a Rust loader to drop the final payload for data exfiltration and remote control.

“When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background,” security researcher Priya Patel said.

The attack chain uses two different pathways to launch the final-stage malware. One infection sequence begins when the recipient of the ZIP archive opens a malicious Windows Shortcut (LNK) file that masquerades as a PDF document. This leads to the execution of a PowerShell script that’s responsible for extracting an executable (“RuntimeBroker_update.exe”) from an intermediate DAT file and running it.

In the second attack chain, the victim directly launches a binary from the same archive. The binary functions as a self-contained Rust-based dropper to launch “RuntimeBroker_update.exe.” Regardless of the path chosen, the executable loads a malicious DLL (“UnityPlayer.dll”) via DLL side-loading, resulting in the deployment of a Rust-based loader called RUSTCLOAK.

The loader then decrypts and runs the main payload, an AdaptixC2 agent codenamed AZUREVEIL owing to the use of Microsoft Azure Blob Storage for command-and-control (C2). The loader is designed to perform anti-analysis checks to proceed only if the malware determines that it’s being run within a sandboxed environment.

“The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide,” Seqrite Labs said. “Instead of…

Source