Dark ReadingArchived Jun 03, 2026✓ Full text saved
China is stealing data from high-value targets via a sneaky, double-layer spear-phishing campaign that includes the Azureveil malware.
Full text archived locally
✦ AI Summary· Claude Sonnet
THREAT INTELLIGENCE
DATA PRIVACY
СLOUD SECURITY
ENDPOINT SECURITY
NEWS
Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
China Uses Dual-Method Cyberattack on Czech Orgs
China is stealing data from high-value targets via a sneaky, double-layer spear-phishing campaign that includes the Azureveil malware.
Alexander Culafi,Senior News Writer,Dark Reading
June 2, 2026
4 Min Read
SOURCE: GARYSANDYWALES VIA GETTY IMAGES
Chinese nation-state threat actors are targeting specific organizations in the Czech Republic and Taiwan for data exfiltration, with a focus on well-defined verticals: government and the public sector; research and academia; technology and software; and financial services.
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a spear-phishing campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one Czech Republic-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
The Czech Connection: In China's Cyberattack Crosshairs
Seqrite attributed the campaign to China with moderate confidence, though the vendor stopped short of connecting it to a specific advanced persistent threat (APT) group.
Related:Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
The contentious connection between China and Taiwan is well established, so a campaign like this would come as no surprise. Less well known is China's complex relationship to the Czech Republic. While they are significant trading partners, the Czech government and China have butted heads over the former's allyship to Taiwan and the latter's support of Russia in the invasion of Ukraine. This would perhaps explain China's interest in the Czech Republic as a potential cyber target, according to Alexis Rapin, cyber threat analyst at ESET.
"The Czech Republic (CZ) is probably the European country with the closest ties to Taiwan currently, which makes it a 'natural' target for China-aligned threat actors," he explains. "Based on our telemetry, it appears that Chinese APTs' interest roughly aligns with this broad timeline: we saw them starting to target CZ rather frequently in 2023, with governmental organizations as the most common target. Academia and the non-profit sector come in second."
He adds, "By the look of it, and taking the broader context into account, it seems likely that the Czech Republic is among the recurrent intelligence-collection priorities of China-aligned APTs in Europe.”
How China's 2-Pronged Attack Works
The zip file attached to the spear-phishing email contains multiple files, including an executable that opens a decoy PDF containing plausible information, such as instructions on what to do during the day of the purported ČSSZ appointment. The primary way the infection starts is through clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components; it then executes them through a file named RuntimeBroker_update.exe.
Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets
However, if the victim opens up that initial aforementioned executable, the file also "acts as a self-contained Rust-based dropper that extracts all required components on its own and then launches the same RuntimeBroker_update.exe," according to the Seqrite blog post. This gives the malware two different means of deployment.
RuntimeBroker_update.exe loads a malicious DLL which executes a Rust-based loader tracked as "Rustcloak." The loader decrypts and runs the ultimate payload, tracked as "Azureveil," which is an Adaptix command-and-control (C2) agent.
Double Whammy: Rustcloak & Azureveil Malware
In addition to continuing the infection chain, Rustcloak is notable in that it includes anti-detection and anti-analysis functionality. The function retrieves the system's computer name and compares it against a list of more than 100 known sandbox and analyst machine names; if there's a match, the loader exits the process and no payload is activated.
Azureveil, meanwhile, is notable for its C2 component, which relies on Microsoft Azure Blob Storage.
"Instead of using a traditional pull-based C2 model, Azureveil follows a dead-drop approach," according to the research. "The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data."
Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now
It added, "The agent periodically uploads a small encrypted beacon (around 124 bytes) to signal that it is active. The attacker then places commands in the same container. Azureveil retrieves these commands, decrypts them, executes them, and uploads the results back as encrypted blobs."
Once the attacker is at this point, they can execute commands and exfiltrate files from the target system to their heart's content.
So what should organizations do? The Seqrite research team tells Dark Reading that because Operation Dragon Weave begins with spear-phishing and leads into conventional malware, organizations that want to protect themselves against these threats have a few technology options beyond anti-phishing user awareness training. They should conduct periodic security awareness assessments on relevant threats, vulnerabilities, risks, and impact; monitor and centralize logs using a security incident and event management (SIEM) solution; deploy EDR, XDR, and a file integrity monitor (FIM) defenses; monitor process execution to detect anomalies; and employ email filtering to protect against malicious messages like those described here.
Read more about:
Europe
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
THREAT INTELLIGENCE
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
by Jai Vijayan
MAR 17, 2026
THREAT INTELLIGENCE
Iran's Cyber-Kinetic War Doctrine Takes Shape
by Alexander Culafi
MAR 06, 2026
THREAT INTELLIGENCE
React2Shell Exploits Flood the Internet as Attacks Continue
by Rob Wright
DEC 12, 2025
THREAT INTELLIGENCE
Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
by Nate Nelson, Contributing Writer
OCT 06, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS