China's Invisible Thread: How Operation Dragon Weave Turns Microsoft's Cloud Against Its Targets

A newly uncovered Chinese espionage campaign exploiting Azure Blob Storage as a covert command channel is not just a technical milestone — it is the operational signature of a carefully calibrated geopolitical intelligence programme targeting Europe's most Taiwan-aligned state.

The phishing email arrives in a Czech civil servant's inbox with a familiar subject line: an upcoming appointment with the Czech Social Security Administration (ČSSZ). The attached zip file contains what appears to be a scheduling document. It is not. Opening the archive triggers a four-stage infection chain so carefully engineered to avoid detection that its final payload — a fully featured remote-access tool — runs entirely in memory, communicates exclusively through Microsoft's own Azure cloud infrastructure, and leaves almost nothing on disk for investigators to find. This is Operation Dragon Weave.

Discovered by Indian security vendor Seqrite and published in late May 2026, Operation Dragon Weave represents the current state of the art in Chinese nation-state cyber espionage — not for any single technical innovation, but for the integration of multiple evasion and persistence techniques into a campaign that is simultaneously broad in geographic ambition and narrow in target selection. The targets are specific, the lures are localised, and the infrastructure is borrowed from the victim's own trusted cloud ecosystem.

TECHNICAL ANALYSIS

A Four-Stage Kill Chain With Two Entry Points

What sets Operation Dragon Weave apart from simpler spear-phishing campaigns is its redundancy. The infection is designed to succeed even if the primary delivery mechanism fails, giving attackers two independent paths to the same destination.

PATH A — LNK-BASED (PRIMARY)

Victim clicks an LNK shortcut file disguised as a PDF. A PowerShell script runs, decrypts components, and launches RuntimeBroker_update.exe — a filename chosen to mimic a legitimate Windows process.

PATH B — EXECUTABLE-BASED (FALLBACK)

If the victim instead runs the initial executable, it acts as a self-contained Rust-based dropper, extracting all required components independently and launching the same RuntimeBroker_update.exe endpoint.

Both paths converge at the same DLL sideloading stage, where a legitimate executable loads a malicious file named UnityPlayer.dll — borrowing the name of a genuine Unity game engine component to evade casual scrutiny. That DLL contains RUSTCLOAK, the Rust-based loader that forms the campaign's third stage.

// INFECTION CHAIN — ALL STAGES

STAGE 01

Spear-Phishing Email

ZIP attachment with localised decoy lure. Czech: ČSSZ appointment notice. Taiwan: business meeting.

INITIAL ACCESS

STAGE 02

Dual Dropper

LNK → PowerShell OR Rust executable dropper. Both launch RuntimeBroker_update.exe via DLL sideload.

EXECUTION

STAGE 03

RUSTCLOAK

Rust-based loader. Sandbox detection (100+ names). Triple-layer decrypt: RC4 → Base64 → AES-CBC. Windows fibers for evasion.

DEFENSE EVASION

STAGE 04

AZUREVEIL

Adaptix C2 agent. 36 post-exploitation commands. Azure Blob Storage dead-drop C2. Memory-only execution.

C2 + EXFIL

RUSTCLOAK: The Anti-Analysis Engine

RUSTCLOAK's most notable feature is its sandbox detection capability. Before executing any payload, the loader retrieves the compromised system's computer name and checks it against a hardcoded list of over 100 known sandbox and analyst machine names. If a match is found, the loader silently exits with no payload, no error message, and no forensic trace. The result is that automated security analysis platforms — the first line of detection for most enterprise security teams — see nothing.

When RUSTCLOAK determines it is running on a genuine victim machine, it decrypts the payload through a three-layer process involving a custom RC4 algorithm, Base64 decoding, and SM4-CBC encryption. The decrypted payload is then loaded entirely into memory using Windows fibers — a technique that deliberately avoids creating new threads, which are commonly monitored by endpoint detection tools. The final payload never touches the disk.

AZUREVEIL: The Cloud-Camouflaged C2

The campaign's most strategically significant innovation is AZUREVEIL's command-and-control architecture. Rather than communicating with an attacker-controlled server — a pattern that network defenders have decades of experience detecting — AZUREVEIL uses Microsoft Azure Blob Storage as a shared communication channel in what researchers call a "dead-drop" model.

// HOW THE DEAD-DROP C2 WORKS

The infected system and the attacker never communicate directly. Instead, both parties interact with the same Azure Blob Storage container, owned and operated by Microsoft.

The compromised system periodically uploads a small encrypted beacon (approximately 124 bytes) to signal that it is active. The attacker checks the container, places encrypted command blobs. The malware retrieves, decrypts, and executes those commands. Results are uploaded back as encrypted blobs for the attacker to retrieve.

From a network monitoring perspective, all traffic appears to be routine enterprise communication with Azure — one of the most trusted and ubiquitous cloud services on the internet.

AZUREVEIL supports 36 post-exploitation commands, enabling complete control over compromised endpoints: file system operations, process manipulation, lateral movement, and the execution of Beacon Object Files (BOFs) directly in memory. The attack surface, once AZUREVEIL is deployed, is effectively unlimited.

100+Sandbox/analyst machine names in RUSTCLOAK's evasion list

36Post-exploitation commands available to AZUREVEIL operators

3-layerEncryption (RC4 + Base64 + SM4-CBC) protecting AZUREVEIL payload

0 bytesFinal payload written to disk — memory-only execution throughout

TARGET SELECTION

Why These Four Sectors — and Why These Two Countries

⬡

Government & Public Sector

Policy positions, diplomatic communications, intelligence on bilateral Czech-Taiwan dealings and Prague's stance on Ukraine

⬡

Research & Academia

Pre-publication scientific data; Taiwan semiconductor research; Czech defence technology partnerships with NATO allies

⬡

Technology & Software

Foxconn operations in Czech Republic; Taiwan's semiconductor supply chain; Made in China 2025 technology acquisition targets

⬡

Financial Services

Investment flows between Taiwan and Czech Republic; intelligence on economic partnerships that bypass China's trade influence

Seqrite also documented an evolution of the campaign: later waves observed in January 2026 replaced the AZUREVEIL Adaptix C2 framework with Cobalt Strike, and expanded targeting to Cambodia and South Korea. Researchers note that South Korean targeting aligns specifically with China's interest in technologies associated with the Made in China 2025 industrial development initiative — suggesting the Dragon Weave infrastructure is being repurposed for a broader economic intelligence collection programme.

DIPLOMATIC CONTEXT

The Czech-China-Taiwan Triangle

To understand why the Czech Republic appears alongside Taiwan as a primary target of a Chinese espionage campaign, one must understand a diplomatic relationship that has deteriorated sharply and in multiple dimensions over the past four years — and that has become the most contentious chapter in China-EU bilateral relations.

Alexis Rapin, cyber threat analyst at ESET, frames the selection directly: "The Czech Republic is probably the European country with the closest ties to Taiwan currently, which makes it a 'natural' target for China-aligned threat actors." His assessment is grounded in observable intelligence collection patterns: "Based on our telemetry, it appears that Chinese APTs' interest roughly aligns with this broad timeline — we saw them starting to target CZ rather frequently in 2023, with governmental organisations as the most common target. Academia and the non-profit sector come in second."

2020 - Pressure campaign against Czech Senate president

Senate President Jaroslav Kubera dies before a planned visit to Taiwan. Chinese embassy correspondence later revealed that Beijing had pressured the Czech government to prevent the trip, triggering significant domestic controversy.

2021 - Senate President Vystrčil visits Taiwan

Despite Beijing's objections, Senate President Miloš Vystrčil leads a delegation to Taipei — the highest-level European parliamentary visit to Taiwan in two decades. China issues formal diplomatic protest.

2022–2024 - APT31 attacks Czech Foreign Ministry

Czech government formally attributes a cyber espionage campaign against its Foreign Affairs Ministry's communications network to APT31, a group publicly associated with China's Ministry of State Security. Foreign Minister Lipavsky summons the Chinese ambassador. China calls it "microphone diplomacy."

2023 - Czech President Pavel breaks protocol on Taiwan call

Newly elected President Petr Pavel accepts a phone call from Taiwanese President Tsai Ing-wen, breaking decades of diplomatic protocol. Beijing's Foreign Ministry subsequently announces it will cease engagement with President Pavel entirely.

March 2024 - Chinese intelligence operation against Taiwanese VP in Prague

Czech Military Intelligence confirms that Chinese diplomatic staff in Prague led an active intelligence operation against Taiwanese Vice-President Hsiao Bi-khim during her 3-day visit — including physical surveillance, schedule monitoring, and a reportedly planned staged vehicle collision. Described by Czech intelligence as "unprecedented on European soil." China denies.

2025 - Government change: partial diplomatic reset begins

Populist ANO party wins Czech parliamentary elections. Leader Andrej Babiš, perceived as more pro-China, begins a rhetorical "reset" with Beijing. Analysts note, however, that trade imbalance (Czech exports €3bn vs. imports from China €36.7bn in 2024) and established people-to-people ties with Taiwan constrain any meaningful reversal.

2026 - Operation Dragon Weave disclosed

Seqrite publishes evidence of a coordinated, ongoing espionage campaign targeting Czech government, academia, and technology sectors alongside Taiwanese organisations. Attribution: China, moderate confidence.

The pattern is coherent: China's cyber operations against Czech organisations have escalated in parallel with, and apparently in direct response to, Prague's political choices regarding Taiwan. The targeting of academia and non-profit organisations — not just government — suggests an intelligence collection programme that extends beyond immediate policy positions to include the civil society networks and research communities that shape long-term policy orientation.

"By the look of it, and taking the broader context into account, it seems likely that the Czech Republic is among the recurrent intelligence-collection priorities of China-aligned APTs in Europe."

The Diplomatic Paradox: Trade and Surveillance in Parallel

What makes the Czech-China relationship particularly instructive — and what makes the cyber campaign so strategically revealing — is that espionage and economic interdependence are proceeding simultaneously. Czech exports to China rose from €2.5 billion in 2021 to €3 billion in 2024, while imports from China remain enormous at €36.7 billion. The two countries are significant trading partners. They are also, apparently, active adversaries in the information domain.

This is not a contradiction unique to the Czech-China relationship — it characterises China's relationships with most of Western Europe and with countries across Asia. But the Czech case is particularly concentrated: Taiwan has invested $200 million in the Czech Republic, creating 50,000 jobs. Taiwanese companies including Foxconn operate there. A Taiwanese airline is launching direct Prague-Taipei flights. The economic and people-to-people ties with Taiwan are deep, institutionalised, and growing — which means Beijing's interest in understanding, and potentially disrupting, those ties is correspondingly intense.

The political reset attempt by the Babiš government is, in this light, largely cosmetic. As analysts at the Sinopsis think tank note, the structural reality of the relationship — a €33 billion trade imbalance and deeply rooted civil society ties with Taiwan — does not change because the government adopts less "ideological" language about democratic values. Beijing presumably understands this. The intelligence collection continues regardless of who is in office in Prague.

THE BROADER PATTERN: CLOUD INFRASTRUCTURE AS GEOPOLITICAL TOOL

Why Abusing Azure Is a Strategic Choice, Not Just a Technical One

The use of Microsoft Azure Blob Storage as a C2 channel is worth examining beyond its immediate technical significance. Azure is deeply embedded in enterprise IT infrastructure across Europe and Taiwan. Traffic to Azure from a government ministry, a university, or a financial services firm is not merely routine — it is expected, trusted, and difficult to block without disrupting legitimate operations. By routing its command infrastructure through Azure, Operation Dragon Weave has placed defenders in a position where the cure — blocking Azure — is potentially worse than the disease.

⚠ STRATEGIC IMPLICATION: THE TRUSTED CLOUD PROBLEM

A growing number of nation-state campaigns — not limited to China — are pivoting toward legitimate cloud platforms (Azure, AWS, Google Cloud, OneDrive, Dropbox) for C2 communication. The logic is straightforward: network defenders cannot blacklist Microsoft's infrastructure without collateral damage to their own operations.

This represents a systemic vulnerability in the current enterprise security model, which relies heavily on reputation-based filtering and known-malicious-IP blocklists. Both controls are ineffective against adversaries whose traffic is indistinguishable from legitimate enterprise cloud activity at the network layer.

Detection of AZUREVEIL-style campaigns therefore requires behavioural analytics, anomalous beacon pattern analysis, and endpoint-level telemetry — not perimeter controls alone.

The dead-drop architecture specifically exploits the asymmetry between attacker cost and defender cost. For the attacker, creating a new Azure storage container is trivial and costs pennies. For the defender, monitoring all Azure traffic for anomalous patterns requires significant investment in behavioural analytics and is far from foolproof. Infrastructure takedowns — the traditional response to identified C2 servers — are also complicated when the infrastructure belongs to a major cloud provider whose services thousands of legitimate organisations depend on simultaneously.

DEFENSE RECOMMENDATIONS

Stage 1 — initial deliveryEndpointEDR with memory-scanning capability; detect Windows fiber abuse and DLL sideloading patterns; monitor for RuntimeBroker_update.exe execution anomalies

Stages 2–3 — RUSTCLOAK executionBehavioural / SIEMAlert on small, periodic encrypted beacon-sized uploads to Azure Blob Storage endpoints from unexpected processes; monitor process lineage from LNK/PowerShell execution

Stage 4 — AZUREVEIL C2File integrityFIM on system directories; alert on creation of files mimicking legitimate Windows components (UnityPlayer.dll in unexpected locations)DLL sideloading detectionThreat intel / huntingHunt for Adaptix C2 / Cobalt Strike IOCs on networks with Czech or Taiwan government, academic, or technology sector exposureOngoing — campaign is active

ASSESSMENT

What Operation Dragon Weave Tells Us About China's Intelligence Posture in Europe

Operation Dragon Weave is best understood not as an isolated technical campaign but as one operational expression of a sustained and multi-instrument intelligence programme targeting countries that have developed meaningful ties with Taiwan. The Czech Republic, having become the EU's most Taiwan-aligned member state, has attracted a level of Chinese intelligence attention that is — as ESET's Rapin puts it — structurally predictable.

Three things distinguish this campaign from background noise. First, the target selection is exceptionally precise. The four targeted verticals — government, academia, technology, and financial services — map directly onto the specific domains of Czech-Taiwan cooperation that Beijing has the strongest interest in monitoring: policy decision-making, research that informs technology partnerships, the Foxconn/Taiwan semiconductor presence in Czech industry, and the financial flows that underpin and sustain the bilateral relationship.

Second, the technical sophistication is calibrated to the threat environment. RUSTCLOAK's 100-name sandbox detection list suggests adversaries who have studied defensive tooling carefully and who update their evasion capabilities in response to the detection landscape. The dead-drop C2 via Azure is not a novel concept, but its implementation here — with the 124-byte beacon, the encrypted blob exchange, the memory-only payload — reflects a professional and well-resourced operation.

Third, and most significantly for analysts: the campaign has already evolved. The January 2026 pivot to Cobalt Strike and the addition of South Korean targets suggests that Dragon Weave is not a static operation but an ongoing programme with its own development roadmap. The infrastructure and tradecraft are being refined between operations, and the geographic scope is expanding.

"Operation Dragon Weave demonstrates how modern cyber espionage campaigns increasingly leverage legitimate cloud services to conceal malicious activity. By abusing Microsoft Azure infrastructure, employing sophisticated Rust-based loaders, and deploying feature-rich malware, attackers can maintain stealth while gaining extensive control."

For European governments navigating the increasingly fraught geometry of US-China competition, the Czech case offers a clear lesson: diplomatic positioning on Taiwan does not merely affect bilateral relations with Beijing — it directly shapes the cyber threat environment. Intelligence collection and diplomatic pressure are two instruments of the same policy, and the organisations bearing the technical burden of the former are often the same civil servants, researchers, and industry partners who are the direct stakeholders in the latter. The firewall between geopolitics and cybersecurity, to the extent it ever existed, is gone.

SOURCES

Technical analysis: Seqrite Labs "Operation Dragon Weave" research (May 2026); Dark Reading (June 2, 2026); CyberSecurityNews; GBHackers; Actipace; Red Secure Tech; Arabian Post; FYSelf News; Cyberpress. Diplomatic / geopolitical: Radio Prague International — Chinese intelligence operation against Taiwanese VP, June 2025; Reuters — Czech Foreign Ministry APT31 attribution; GlobalSecurity / RFE/RL — Czech government China reset, January 2026; Sinopsis — Czech-Taiwan relations under Babiš, June 2026; Domino Theory — Czech-Taiwan relations, March 2026; CyberSecTaiwan — Czech-Taiwan cybersecurity cooperation, May 2024. ESET attribution context: Alexis Rapin quote via Dark Reading / Seqrite research citation, June 2026.