A China-aligned threat actor has weaponised Microsoft Azure Blob Storage as a covert command-and-control relay, conducting coordinated spear-phishing operations against government, research, academic, technology, and financial institutions in the Czech Republic and Taiwan.
Intelligence Lead
A China-aligned threat actor has weaponised Microsoft Azure Blob Storage as a command-and-control relay to conduct simultaneous spear-phishing operations against government, academic, and financial targets in the Czech Republic and Taiwan. The campaign, designated Operation Dragon Weave by researchers at Seqrite, exploits the legitimacy of Microsoft cloud infrastructure to camouflage malicious traffic within routine enterprise network activity — a technique that severely degrades conventional detection methods. The dual targeting of a NATO member state and Taiwan reflects a calculated effort to harvest intelligence relevant to European policy positions on the Taiwan Strait and to monitor Taiwanese institutional communications.
Situation Report
Researchers at Indian cybersecurity firm Seqrite published technical findings on 1 June 2026 confirming an active espionage campaign assessed with moderate confidence as China-linked. The operation delivers an AdaptixC2 remote access agent via spear-phishing emails containing ZIP file attachments. Within the archive, a Windows Shortcut (LNK) file is disguised as a PDF document. When executed, the LNK file triggers a Rust-based loader that deploys the final payload, establishing persistent remote access and enabling data exfiltration.
A defining technical characteristic of Dragon Weave is the use of Microsoft Azure Blob Storage as a dead-drop command-and-control channel. The malware communicates with attacker-controlled Azure instances, blending its traffic with legitimate cloud service activity. This renders conventional network monitoring — which relies on flagging connections to known-malicious IP ranges or domains — largely ineffective against the campaign.
Decoy documents used in the Czech Republic strand of the operation impersonate correspondence from the Czech Social Security Administration (ČSSZ), referencing a scheduled appointment for an individual named Zuzana Košková on 16 March 2026. The specificity of the social engineering lure — including a plausible Czech name and a government body recognisable to the target demographic — suggests prior reconnaissance of Czech administrative workflows. Separately confirmed infection sequences in Taiwan employed filenames written in Traditional Chinese, consistent with targeting of Taiwanese rather than mainland Chinese-speaking users.
Subsequent activity observed in January 2026 indicates a tooling evolution: AdaptixC2 has been replaced in certain infection chains by Cobalt Strike, a commercial penetration testing framework extensively repurposed by state-aligned threat actors. Infections have additionally been reported in Cambodia and South Korea, indicating possible infrastructure expansion or a related but distinct sub-operation sharing Dragon Weave tradecraft.
Background & Context
The Czech Republic has been a persistent target of Chinese and Russian cyber operations given its membership of NATO and its vocal institutional positions on Taiwan. Czech intelligence services (BIS) have repeatedly flagged China-linked intrusion attempts against government networks and academic institutions. The concurrent targeting of Czech and Taiwanese entities in a single coordinated campaign is consistent with reported People's Liberation Army Strategic Support Force (PLASSF) and Ministry of State Security (MSS) priorities: monitoring allied coordination on Taiwan policy and mapping the external diplomatic and intelligence relationships of Taipei's government.
The exploitation of legitimate cloud infrastructure for C2 purposes — variously termed "living off trusted sites" or cloud-relay C2 — is an established and escalating trend among China-linked advanced persistent threat groups. Actors including APT40 and APT41 have previously abused Google Drive, OneDrive, and Dropbox as relay mechanisms. The shift to Azure Blob Storage represents a logical evolution: enterprise defenders are rarely in a position to block traffic to a major cloud provider without significant operational disruption, and anomaly-based detection within those traffic streams requires mature and resource-intensive tooling.
The Rust loader used in Dragon Weave is a further indicator of deliberate operational security. Rust-compiled malware is comparatively rare, reducing the probability of signature-based detection. Cobalt Strike — employed in January 2026 iterations — is a commercial tool that generates high volumes of detections globally, and its appearance alongside a Rust loader suggests the actor is willing to trade some stealth for operational capability as the campaign matures.
Analysis & Assessment
Operation Dragon Weave is assessed as an intelligence collection operation rather than a destructive or pre-positioning campaign. The targeting of government, research, academic, technology, and financial sectors in both Czech Republic and Taiwan is consistent with a broad-collection mandate: harvesting policy documents, diplomatic correspondence, and technology transfer data with relevance to PRC strategic priorities in Europe and the Taiwan Strait. There is no current indication of destructive payloads or pre-positioned malware designed for infrastructure sabotage.
The expansion of observed infections into Cambodia and South Korea warrants monitoring. Cambodia has historically served as a permissive operating environment for China-linked cyber actors. South Korea's inclusion may indicate separate targeting priorities — potentially related to semiconductor supply chains or alliance coordination with the United States — or may reflect infrastructure reuse rather than deliberate targeting. Attribution to a specific named APT group remains unconfirmed; Seqrite assessed the campaign as China-linked with moderate confidence, and full attribution will likely require additional forensic analysis.
The dual-target architecture of Dragon Weave — a NATO member and Taiwan simultaneously — suggests a level of operational coordination and resource investment consistent with a state-sponsored actor operating under clear strategic tasking rather than an opportunistic criminal group. Western intelligence services should be expected to leverage the Seqrite disclosure to hunt for related indicators within their own networks and those of allies.