← feed

seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2

Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2

IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.

confirmed IIM v1.1 unknown
Raw JSON
entities14
relations20
techniques5
published2026-05-29 20:05:53

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

file

spearphishing ZIP attachment containing Taiwan/Czech lure artifacts

IIM-T024
2
entry

file

計畫申請審查結果通知單.pdf.lnk

3
entry

file

_計畫申請審查結果通知單.exe

4
staging

file

data\empty.vbs

5
staging

file

data\Profile.ps1

6
staging

file

data\1.dat encrypted RuntimeBroker_update.exe container

7
staging

file

RuntimeBroker_update.exe sideload trigger executable

8
staging

file

BrowserViewUtility.exe legitimate sideload host

9
payload

file

UnityPlayer.dll / RUSTCLOAK Rust loader

10
staging

file

Com.dat encrypted AZUREVEIL payload container

11
payload

file

AZUREVEIL Adaptix C2 agent

12
c2

domain

note1ggbbhggdwa1.blob.core.windows.net

IIM-T002IIM-T006IIM-T013IIM-T018
13
c2

url

https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin

IIM-T002IIM-T018
14
staging

file

encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)

Relations

directed infrastructure edges
e001referencese002 confirmed
e001referencese003 confirmed
e001referencese004 confirmed
e001referencese005 confirmed
e001referencese006 confirmed
e001referencese010 confirmed
e002executee004 confirmed
e004executee005 confirmed
e005referencese006 confirmed
e005dropse007 confirmed
e003dropse008 confirmed
e003dropse009 confirmed
e003dropse014 confirmed
e003dropse007 confirmed
e007executee009 confirmed
e009referencese010 confirmed
e009executee011 confirmed
e014referencese012 confirmed
e011communicates-withe012 confirmed
e012referencese013 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 file spearphishing ZIP attachment containing Taiwan/Czech lure artifacts
Seqrite states that the attack begins with a ZIP attachment and that extracted contents include multiple files forming a structured infection chain.
The report identifies geographic targeting of Czech Republic and Taiwan and shows region-specific lure material.
e002 file 計畫申請審查結果通知單.pdf.lnk
Seqrite identifies this shortcut file inside the extracted ZIP and states that it masquerades as a PDF document.
SHA-256: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447
e003 file _計畫申請審查結果通知單.exe
Seqrite describes this Rust-compiled executable as the alternate self-contained dropper path; it extracts required components and launches RuntimeBroker_update.exe.
SHA-256: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4
e004 file data\empty.vbs
The LNK path passes .\data\empty.vbs to wscript.exe; Seqrite describes the VBS as a small bridge to launch Profile.ps1.
SHA-256: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a
e005 file data\Profile.ps1
Seqrite states that Profile.ps1 reads 1.dat, decrypts it with hardcoded key P@ssw0rd_am_2026, writes RuntimeBroker_update.exe, moves UnityPlayer.dll and Com.dat, then executes RuntimeBroker_update.exe.
SHA-256: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de
e006 file data\1.dat encrypted RuntimeBroker_update.exe container
Seqrite describes 1.dat as an XOR-encrypted container that becomes RuntimeBroker_update.exe after Profile.ps1 decryption.
SHA-256: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574
e007 file RuntimeBroker_update.exe sideload trigger executable
Seqrite states both execution paths converge when RuntimeBroker_update.exe runs and causes Windows to load UnityPlayer.dll from the same folder.
SHA-256: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15
e008 file BrowserViewUtility.exe legitimate sideload host
Seqrite states that the executable-based path drops BrowserViewUtility.exe as a legitimate executable used for sideloading.
SHA-256: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1
e009 file UnityPlayer.dll / RUSTCLOAK Rust loader
Seqrite names the malicious UnityPlayer.dll as RUSTCLOAK, a Rust-based loader responsible for continuing the execution chain and preparing the final payload.
SHA-256: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192
e010 file Com.dat encrypted AZUREVEIL payload container
Seqrite states that RUSTCLOAK reads Com.dat and processes it through custom RC4, Base64 decoding, and SM4-CBC decryption before in-memory execution.
SHA-256: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4
e011 file AZUREVEIL Adaptix C2 agent
Seqrite identifies the final payload as AZUREVEIL, a 64-bit DLL and fully featured Adaptix C2 agent.
SHA-256: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe
e012 domain note1ggbbhggdwa1.blob.core.windows.net
Seqrite publishes note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net as the Azure Blob Storage C2 endpoint.
The report states that AZUREVEIL communicates entirely through Microsoft Azure Blob Storage rather than a traditional C2 server.
e013 url https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin
Seqrite describes the Azure storage setup as container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin with Agent ID 345831bc.
AZUREVEIL uploads beacons, retrieves commands, and uploads encrypted results through this Azure Blob path pattern.
e014 file encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)
Seqrite reports that encrypted_blob contains a hardcoded Shared Access Signature token used to authenticate operations on the Azure storage account.
The token is intentionally redacted from this public IIM chain because the source states it remains valid from 2026-03-19 to 2027-03-19.

ATT&CK annotations

optional complementary mapping
T1566.001Spearphishing Attachment

T1204.002Malicious File - User Execution

T1059.001PowerShell

T1059.005Visual Basic

T1574.002DLL Side-Loading

T1102.001Web Service - Dead Drop Resolver

T1573Encrypted Channel

T1105Ingress Tool Transfer

T1041Exfiltration Over C2 Channel

Raw IIM JSON canonical body from MANTIS expand
{
  "actor_id": "unknown",
  "attack_annotations": [
    {
      "name": "Spearphishing Attachment",
      "tactic": "Initial Access",
      "technique_id": "T1566.001"
    },
    {
      "name": "Malicious File - User Execution",
      "tactic": "Execution",
      "technique_id": "T1204.002"
    },
    {
      "name": "PowerShell",
      "tactic": "Execution",
      "technique_id": "T1059.001"
    },
    {
      "name": "Visual Basic",
      "tactic": "Execution",
      "technique_id": "T1059.005"
    },
    {
      "name": "DLL Side-Loading",
      "tactic": "Defense Evasion",
      "technique_id": "T1574.002"
    },
    {
      "name": "Web Service - Dead Drop Resolver",
      "tactic": "Command and Control",
      "technique_id": "T1102.001"
    },
    {
      "name": "Encrypted Channel",
      "tactic": "Command and Control",
      "technique_id": "T1573"
    },
    {
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "technique_id": "T1105"
    },
    {
      "name": "Exfiltration Over C2 Channel",
      "tactic": "Exfiltration",
      "technique_id": "T1041"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T024"
      ]
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e003",
      "role": "entry",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e007",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e008",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e011",
      "role": "payload",
      "role_confidence": "confirmed",
      "techniques": []
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T006",
        "IIM-T013",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "techniques": [
        "IIM-T002",
        "IIM-T018"
      ]
    },
    {
      "entity_id": "e014",
      "review_notes": "Configuration artifact used for C2 authentication; token value redacted.",
      "role": "staging",
      "role_confidence": "confirmed",
      "techniques": []
    }
  ],
  "chain_id": "seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2",
  "confidence": "confirmed",
  "description": "IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.",
  "entities": [
    {
      "evidence": [
        "Seqrite states that the attack begins with a ZIP attachment and that extracted contents include multiple files forming a structured infection chain.",
        "The report identifies geographic targeting of Czech Republic and Taiwan and shows region-specific lure material."
      ],
      "id": "e001",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "spearphishing ZIP attachment containing Taiwan/Czech lure artifacts",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite identifies this shortcut file inside the extracted ZIP and states that it masquerades as a PDF document.",
        "SHA-256: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447"
      ],
      "id": "e002",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "計畫申請審查結果通知單.pdf.lnk",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes this Rust-compiled executable as the alternate self-contained dropper path; it extracts required components and launches RuntimeBroker_update.exe.",
        "SHA-256: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4"
      ],
      "id": "e003",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "_計畫申請審查結果通知單.exe",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "The LNK path passes .\\data\\empty.vbs to wscript.exe; Seqrite describes the VBS as a small bridge to launch Profile.ps1.",
        "SHA-256: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a"
      ],
      "id": "e004",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\empty.vbs",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that Profile.ps1 reads 1.dat, decrypts it with hardcoded key P@ssw0rd_am_2026, writes RuntimeBroker_update.exe, moves UnityPlayer.dll and Com.dat, then executes RuntimeBroker_update.exe.",
        "SHA-256: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de"
      ],
      "id": "e005",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\Profile.ps1",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes 1.dat as an XOR-encrypted container that becomes RuntimeBroker_update.exe after Profile.ps1 decryption.",
        "SHA-256: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574"
      ],
      "id": "e006",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "data\\1.dat encrypted RuntimeBroker_update.exe container",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states both execution paths converge when RuntimeBroker_update.exe runs and causes Windows to load UnityPlayer.dll from the same folder.",
        "SHA-256: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15"
      ],
      "id": "e007",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "RuntimeBroker_update.exe sideload trigger executable",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that the executable-based path drops BrowserViewUtility.exe as a legitimate executable used for sideloading.",
        "SHA-256: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1"
      ],
      "id": "e008",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "BrowserViewUtility.exe legitimate sideload host",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite names the malicious UnityPlayer.dll as RUSTCLOAK, a Rust-based loader responsible for continuing the execution chain and preparing the final payload.",
        "SHA-256: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192"
      ],
      "id": "e009",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "UnityPlayer.dll / RUSTCLOAK Rust loader",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite states that RUSTCLOAK reads Com.dat and processes it through custom RC4, Base64 decoding, and SM4-CBC decryption before in-memory execution.",
        "SHA-256: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4"
      ],
      "id": "e010",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "Com.dat encrypted AZUREVEIL payload container",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite identifies the final payload as AZUREVEIL, a 64-bit DLL and fully featured Adaptix C2 agent.",
        "SHA-256: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe"
      ],
      "id": "e011",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "AZUREVEIL Adaptix C2 agent",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite publishes note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net as the Azure Blob Storage C2 endpoint.",
        "The report states that AZUREVEIL communicates entirely through Microsoft Azure Blob Storage rather than a traditional C2 server."
      ],
      "id": "e012",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "domain",
      "value": "note1ggbbhggdwa1.blob.core.windows.net",
      "x_defanged": "note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite describes the Azure storage setup as container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin with Agent ID 345831bc.",
        "AZUREVEIL uploads beacons, retrieves commands, and uploads encrypted results through this Azure Blob path pattern."
      ],
      "id": "e013",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "url",
      "value": "https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin",
      "x_contains_template_variables": true,
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    },
    {
      "evidence": [
        "Seqrite reports that encrypted_blob contains a hardcoded Shared Access Signature token used to authenticate operations on the Azure storage account.",
        "The token is intentionally redacted from this public IIM chain because the source states it remains valid from 2026-03-19 to 2027-03-19."
      ],
      "id": "e014",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Seqrite: Operation Dragon Weave, 2026-05-29",
      "type": "file",
      "value": "encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)",
      "x_redaction_reason": "Public chain avoids republishing an operational cloud SAS token even though the original report includes it.",
      "x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
    }
  ],
  "iim_version": "1.1",
  "import_source": "manual-osint-report-to-iim-conversion",
  "needs_review": false,
  "observed_at": "2026-05-29T00:00:00Z",
  "relations": [
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 1,
      "to": "e002",
      "type": "references",
      "x_evidence": "Seqrite lists the LNK inside the ZIP contents."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 2,
      "to": "e003",
      "type": "references",
      "x_evidence": "Seqrite lists the Rust executable inside the ZIP contents as an alternate execution path."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 3,
      "to": "e004",
      "type": "references",
      "x_evidence": "Seqrite lists empty.vbs inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 4,
      "to": "e005",
      "type": "references",
      "x_evidence": "Seqrite lists Profile.ps1 inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 5,
      "to": "e006",
      "type": "references",
      "x_evidence": "Seqrite lists 1.dat inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e001",
      "sequence_order": 6,
      "to": "e010",
      "type": "references",
      "x_evidence": "Seqrite lists Com.dat inside the data folder."
    },
    {
      "confidence": "confirmed",
      "from": "e002",
      "sequence_order": 7,
      "to": "e004",
      "type": "execute",
      "x_evidence": "LNK executes wscript.exe with .\\data\\empty.vbs as argument."
    },
    {
      "confidence": "confirmed",
      "from": "e004",
      "sequence_order": 8,
      "to": "e005",
      "type": "execute",
      "x_evidence": "empty.vbs launches Profile.ps1 using PowerShell with execution policy bypass."
    },
    {
      "confidence": "confirmed",
      "from": "e005",
      "sequence_order": 9,
      "to": "e006",
      "type": "references",
      "x_evidence": "Profile.ps1 reads and decrypts 1.dat."
    },
    {
      "confidence": "confirmed",
      "from": "e005",
      "sequence_order": 10,
      "to": "e007",
      "type": "drops",
      "x_evidence": "Profile.ps1 writes decrypted 1.dat to RuntimeBroker_update.exe and executes it."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 11,
      "to": "e008",
      "type": "drops",
      "x_evidence": "The Rust executable drops BrowserViewUtility.exe as a sideload host."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 12,
      "to": "e009",
      "type": "drops",
      "x_evidence": "The Rust executable drops malicious UnityPlayer.dll / RUSTCLOAK."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 13,
      "to": "e014",
      "type": "drops",
      "x_evidence": "Seqrite states the executable drops encrypted_blob containing the Azure SAS token."
    },
    {
      "confidence": "confirmed",
      "from": "e003",
      "sequence_order": 14,
      "to": "e007",
      "type": "drops",
      "x_evidence": "The Rust executable drops and launches RuntimeBroker_update.exe."
    },
    {
      "confidence": "confirmed",
      "from": "e007",
      "sequence_order": 15,
      "to": "e009",
      "type": "execute",
      "x_evidence": "RuntimeBroker_update.exe loads malicious UnityPlayer.dll from the same folder."
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "sequence_order": 16,
      "to": "e010",
      "type": "references",
      "x_evidence": "RUSTCLOAK reads encrypted payload Com.dat for layered decryption."
    },
    {
      "confidence": "confirmed",
      "from": "e009",
      "sequence_order": 17,
      "to": "e011",
      "type": "execute",
      "x_evidence": "RUSTCLOAK decrypts the in-memory PE that Seqrite identifies as AZUREVEIL and transfers execution to it."
    },
    {
      "confidence": "confirmed",
      "from": "e014",
      "sequence_order": 18,
      "to": "e012",
      "type": "references",
      "x_evidence": "encrypted_blob contains the SAS token used to authenticate operations on the Azure Blob storage account."
    },
    {
      "confidence": "confirmed",
      "from": "e011",
      "sequence_order": 19,
      "to": "e012",
      "type": "communicates-with",
      "x_evidence": "Seqrite observed AZUREVEIL using note1ggbbhggdwa1.blob.core.windows.net for C2."
    },
    {
      "confidence": "confirmed",
      "from": "e012",
      "sequence_order": 20,
      "to": "e013",
      "type": "references",
      "x_evidence": "Seqrite publishes the container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin."
    }
  ],
  "title": "Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2",
  "x_iocs": {
    "domains": [
      "note1ggbbhggdwa1.blob.core.windows.net"
    ],
    "sha256": [
      "096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447",
      "1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4",
      "080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192",
      "5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1",
      "61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15",
      "24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4",
      "02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e",
      "8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9",
      "047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574",
      "a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a",
      "823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de",
      "783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0"
    ],
    "url_patterns": [
      "https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin"
    ]
  },
  "x_limitations": [
    "Seqrite does not publish the original spearphishing sender, mail headers, or exact ZIP filename in text; these are not modeled as concrete IoCs.",
    "The Azure SAS token is redacted in this IIM chain because the report states it remains valid until 2027-03-19.",
    "Endpoint-only behaviors such as sandbox checks, Windows fibers, process discovery, and BOF execution are captured as ATT&CK annotations/evidence, not as IIM techniques."
  ],
  "x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting; operational SAS token not republished.",
  "x_resource_links_verified": true,
  "x_selection_reason": "Strong IIM fit: region-specific spearphishing, archive delivery, dual-path staging, loader chain, and trusted-cloud Azure Blob Storage dead-drop C2.",
  "x_source": "Seqrite APT Team",
  "x_source_title": "Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2",
  "x_source_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/",
  "x_source_urls": [
    "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
  ]
}