{
  "actor_id": "unknown",
  "attack_annotations": [
    {
      "name": "Spearphishing Attachment",
      "tactic": "Initial Access",
      "technique_id": "T1566.001"
    },
    {
      "name": "Malicious File - User Execution",
      "tactic": "Execution",
      "technique_id": "T1204.002"
    },
    {
      "name": "PowerShell",
      "tactic": "Execution",
      "technique_id": "T1059.001"
    },
    {
      "name": "Visual Basic",
      "tactic": "Execution",
      "technique_id": "T1059.005"
    },
    {
      "name": "DLL Side-Loading",
      "tactic": "Defense Evasion",
      "technique_id": "T1574.002"
    },
    {
      "name": "Web Service - Dead Drop Resolver",
      "tactic": "Command and Control",
      "technique_id": "T1102.001"
    },
    {
      "name": "Encrypted Channel",
      "tactic": "Command and Control",
      "technique_id": "T1573"
    },
    {
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "technique_id": "T1105"
    },
    {
      "name": "Exfiltration Over C2 Channel",
      "tactic": "Exfiltration",
      "technique_id": "T1041"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e003",
      "role": "entry",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e008",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e011",
      "role": "payload",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e014",
      "review_notes": "Configuration artifact used for C2 authentication; token value redacted.",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    }
  ],
  "chain_id": "seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2",
  "confidence": "confirmed",
  "description": "IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.",
  "entities": [
    {
      "evidence": [
        "Seqrite states that the attack begins with a ZIP attachment and that extracted contents include multiple files forming a structured infection chain.",
        "The report identifies geographic targeting of Czech Republic and Taiwan and shows region-specific lure material."
      ],
      "id": "e001",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "spearphishing ZIP attachment containing Taiwan/Czech lure artifacts",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite identifies this shortcut file inside the extracted ZIP and states that it masquerades as a PDF document.",
        "SHA-256: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447"
      ],
      "id": "e002",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "計畫申請審查結果通知單.pdf.lnk",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes this Rust-compiled executable as the alternate self-contained dropper path; it extracts required components and launches RuntimeBroker_update.exe.",
        "SHA-256: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4"
      ],
      "id": "e003",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "_計畫申請審查結果通知單.exe",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "The LNK path passes .\\data\\empty.vbs to wscript.exe; Seqrite describes the VBS as a small bridge to launch Profile.ps1.",
        "SHA-256: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a"
      ],
      "id": "e004",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\empty.vbs",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that Profile.ps1 reads 1.dat, decrypts it with hardcoded key P@ssw0rd_am_2026, writes RuntimeBroker_update.exe, moves UnityPlayer.dll and Com.dat, then executes RuntimeBroker_update.exe.",
        "SHA-256: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de"
      ],
      "id": "e005",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\Profile.ps1",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes 1.dat as an XOR-encrypted container that becomes RuntimeBroker_update.exe after Profile.ps1 decryption.",
        "SHA-256: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574"
      ],
      "id": "e006",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\1.dat encrypted RuntimeBroker_update.exe container",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states both execution paths converge when RuntimeBroker_update.exe runs and causes Windows to load UnityPlayer.dll from the same folder.",
        "SHA-256: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15"
      ],
      "id": "e007",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "RuntimeBroker_update.exe sideload trigger executable",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that the executable-based path drops BrowserViewUtility.exe as a legitimate executable used for sideloading.",
        "SHA-256: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1"
      ],
      "id": "e008",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "BrowserViewUtility.exe legitimate sideload host",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite names the malicious UnityPlayer.dll as RUSTCLOAK, a Rust-based loader responsible for continuing the execution chain and preparing the final payload.",
        "SHA-256: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192"
      ],
      "id": "e009",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "UnityPlayer.dll / RUSTCLOAK Rust loader",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that RUSTCLOAK reads Com.dat and processes it through custom RC4, Base64 decoding, and SM4-CBC decryption before in-memory execution.",
        "SHA-256: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4"
      ],
      "id": "e010",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "Com.dat encrypted AZUREVEIL payload container",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite identifies the final payload as AZUREVEIL, a 64-bit DLL and fully featured Adaptix C2 agent.",
        "SHA-256: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe"
      ],
      "id": "e011",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "AZUREVEIL Adaptix C2 agent",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite publishes note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net as the Azure Blob Storage C2 endpoint.",
        "The report states that AZUREVEIL communicates entirely through Microsoft Azure Blob Storage rather than a traditional C2 server."
      ],
      "id": "e012",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "domain",
      "value": "note1ggbbhggdwa1.blob.core.windows.net",
      "x_defanged": "note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes the Azure storage setup as container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin with Agent ID 345831bc.",
        "AZUREVEIL uploads beacons, retrieves commands, and uploads encrypted results through this Azure Blob path pattern."
      ],
      "id": "e013",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "url",
      "value": "https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin",
      "x_contains_template_variables": true,
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite reports that encrypted_blob contains a hardcoded Shared Access Signature token used to authenticate operations on the Azure storage account.",
        "The token is intentionally redacted from this public IIM chain because the source states it remains valid from 2026-03-19 to 2027-03-19."
      ],
      "id": "e014",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)",
      "x_redaction_reason": "Public chain avoids republishing an operational cloud SAS token even though the original report includes it.",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-29T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "references",
      "x_evidence": "Seqrite lists the LNK inside the ZIP contents."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 2,
      "to": "e003",
      "type": "references",
      "x_evidence": "Seqrite lists the Rust executable inside the ZIP contents as an alternate execution path."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 3,
      "to": "e004",
      "type": "references",
      "x_evidence": "Seqrite lists empty.vbs inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 4,
      "to": "e005",
      "type": "references",
      "x_evidence": "Seqrite lists Profile.ps1 inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 5,
      "to": "e006",
      "type": "references",
      "x_evidence": "Seqrite lists 1.dat inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 6,
      "to": "e010",
      "type": "references",
      "x_evidence": "Seqrite lists Com.dat inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 7,
      "to": "e004",
      "type": "execute",
      "x_evidence": "LNK executes wscript.exe with .\\data\\empty.vbs as argument."
    },
    {
      "confidence": "confirmed",
      "from": "e004",
      "sequence_order": 8,
      "to": "e005",
      "type": "execute",
      "x_evidence": "empty.vbs launches Profile.ps1 using PowerShell with execution policy bypass."
    },
    {
      "confidence": "confirmed",
      "from": "e005",
      "sequence_order": 9,
      "to": "e006",
      "type": "references",
      "x_evidence": "Profile.ps1 reads and decrypts 1.dat."
    },
    {
      "confidence": "confirmed",
      "from": "e005",
      "sequence_order": 10,
      "to": "e007",
      "type": "drops",
      "x_evidence": "Profile.ps1 writes decrypted 1.dat to RuntimeBroker_update.exe and executes it."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 11,
      "to": "e008",
      "type": "drops",
      "x_evidence": "The Rust executable drops BrowserViewUtility.exe as a sideload host."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 12,
      "to": "e009",
      "type": "drops",
      "x_evidence": "The Rust executable drops malicious UnityPlayer.dll / RUSTCLOAK."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 13,
      "to": "e014",
      "type": "drops",
      "x_evidence": "Seqrite states the executable drops encrypted_blob containing the Azure SAS token."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 14,
      "to": "e007",
      "type": "drops",
      "x_evidence": "The Rust executable drops and launches RuntimeBroker_update.exe."
    },
    {
      "confidence": "confirmed",
      "from": "e007",
      "sequence_order": 15,
      "to": "e009",
      "type": "execute",
      "x_evidence": "RuntimeBroker_update.exe loads malicious UnityPlayer.dll from the same folder."
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "sequence_order": 16,
      "to": "e010",
      "type": "references",
      "x_evidence": "RUSTCLOAK reads encrypted payload Com.dat for layered decryption."
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "sequence_order": 17,
      "to": "e011",
      "type": "execute",
      "x_evidence": "RUSTCLOAK decrypts the in-memory PE that Seqrite identifies as AZUREVEIL and transfers execution to it."
    },
    {
      "confidence": "confirmed",
      "from": "e014",
      "sequence_order": 18,
      "to": "e012",
      "type": "references",
      "x_evidence": "encrypted_blob contains the SAS token used to authenticate operations on the Azure Blob storage account."
    },
    {
      "confidence": "confirmed",
      "from": "e011",
      "sequence_order": 19,
      "to": "e012",
      "type": "communicates-with",
      "x_evidence": "Seqrite observed AZUREVEIL using note1ggbbhggdwa1.blob.core.windows.net for C2."
    },
    {
      "confidence": "confirmed",
      "from": "e012",
      "sequence_order": 20,
      "to": "e013",
      "type": "references",
      "x_evidence": "Seqrite publishes the container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin."
    }
  ],
  "title": "Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2",
  "x_iocs": {
    "domains": [
      "note1ggbbhggdwa1.blob.core.windows.net"
    ],
    "sha256": [
      "096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447",
      "1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4",
      "080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192",
      "5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1",
      "61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15",
      "24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4",
      "02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e",
      "8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9",
      "047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574",
      "a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a",
      "823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de",
      "783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0"
    ],
    "url_patterns": [
      "https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin"
    ]
  },
  "x_limitations": [
    "Seqrite does not publish the original spearphishing sender, mail headers, or exact ZIP filename in text; these are not modeled as concrete IoCs.",
    "The Azure SAS token is redacted in this IIM chain because the report states it remains valid until 2027-03-19.",
    "Endpoint-only behaviors such as sandbox checks, Windows fibers, process discovery, and BOF execution are captured as ATT&CK annotations/evidence, not as IIM techniques."
  ],
  "x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting; operational SAS token not republished.",
  "x_resource_links_verified": true,
  "x_selection_reason": "Strong IIM fit: region-specific spearphishing, archive delivery, dual-path staging, loader chain, and trusted-cloud Azure Blob Storage dead-drop C2.",
  "x_source": "Seqrite APT Team",
  "x_source_title": "Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2",
  "x_source_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/",
  "x_source_urls": [
    "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
  ]
}