seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2
Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2
IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
spearphishing ZIP attachment containing Taiwan/Czech lure artifacts
file
計畫申請審查結果通知單.pdf.lnk
file
_計畫申請審查結果通知單.exe
file
data\empty.vbs
file
data\Profile.ps1
file
data\1.dat encrypted RuntimeBroker_update.exe container
file
RuntimeBroker_update.exe sideload trigger executable
file
BrowserViewUtility.exe legitimate sideload host
file
UnityPlayer.dll / RUSTCLOAK Rust loader
file
Com.dat encrypted AZUREVEIL payload container
file
AZUREVEIL Adaptix C2 agent
domain
note1ggbbhggdwa1.blob.core.windows.net
url
https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin
file
encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)
Relations
directed infrastructure edgese001referencese002
confirmed
e001referencese003
confirmed
e001referencese004
confirmed
e001referencese005
confirmed
e001referencese006
confirmed
e001referencese010
confirmed
e002executee004
confirmed
e004executee005
confirmed
e005referencese006
confirmed
e005dropse007
confirmed
e003dropse008
confirmed
e003dropse009
confirmed
e003dropse014
confirmed
e003dropse007
confirmed
e007executee009
confirmed
e009referencese010
confirmed
e009executee011
confirmed
e014referencese012
confirmed
e011communicates-withe012
confirmed
e012referencese013
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | spearphishing ZIP attachment containing Taiwan/Czech lure artifacts |
Seqrite states that the attack begins with a ZIP attachment and that extracted contents include multiple files forming a structured infection chain. The report identifies geographic targeting of Czech Republic and Taiwan and shows region-specific lure material. |
e002 |
file | 計畫申請審查結果通知單.pdf.lnk |
Seqrite identifies this shortcut file inside the extracted ZIP and states that it masquerades as a PDF document. SHA-256: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447 |
e003 |
file | _計畫申請審查結果通知單.exe |
Seqrite describes this Rust-compiled executable as the alternate self-contained dropper path; it extracts required components and launches RuntimeBroker_update.exe. SHA-256: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4 |
e004 |
file | data\empty.vbs |
The LNK path passes .\data\empty.vbs to wscript.exe; Seqrite describes the VBS as a small bridge to launch Profile.ps1. SHA-256: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a |
e005 |
file | data\Profile.ps1 |
Seqrite states that Profile.ps1 reads 1.dat, decrypts it with hardcoded key P@ssw0rd_am_2026, writes RuntimeBroker_update.exe, moves UnityPlayer.dll and Com.dat, then executes RuntimeBroker_update.exe. SHA-256: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de |
e006 |
file | data\1.dat encrypted RuntimeBroker_update.exe container |
Seqrite describes 1.dat as an XOR-encrypted container that becomes RuntimeBroker_update.exe after Profile.ps1 decryption. SHA-256: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574 |
e007 |
file | RuntimeBroker_update.exe sideload trigger executable |
Seqrite states both execution paths converge when RuntimeBroker_update.exe runs and causes Windows to load UnityPlayer.dll from the same folder. SHA-256: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15 |
e008 |
file | BrowserViewUtility.exe legitimate sideload host |
Seqrite states that the executable-based path drops BrowserViewUtility.exe as a legitimate executable used for sideloading. SHA-256: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1 |
e009 |
file | UnityPlayer.dll / RUSTCLOAK Rust loader |
Seqrite names the malicious UnityPlayer.dll as RUSTCLOAK, a Rust-based loader responsible for continuing the execution chain and preparing the final payload. SHA-256: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192 |
e010 |
file | Com.dat encrypted AZUREVEIL payload container |
Seqrite states that RUSTCLOAK reads Com.dat and processes it through custom RC4, Base64 decoding, and SM4-CBC decryption before in-memory execution. SHA-256: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4 |
e011 |
file | AZUREVEIL Adaptix C2 agent |
Seqrite identifies the final payload as AZUREVEIL, a 64-bit DLL and fully featured Adaptix C2 agent. SHA-256: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe |
e012 |
domain | note1ggbbhggdwa1.blob.core.windows.net |
Seqrite publishes note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net as the Azure Blob Storage C2 endpoint. The report states that AZUREVEIL communicates entirely through Microsoft Azure Blob Storage rather than a traditional C2 server. |
e013 |
url | https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin |
Seqrite describes the Azure storage setup as container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin with Agent ID 345831bc. AZUREVEIL uploads beacons, retrieves commands, and uploads encrypted results through this Azure Blob path pattern. |
e014 |
file | encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain) |
Seqrite reports that encrypted_blob contains a hardcoded Shared Access Signature token used to authenticate operations on the Azure storage account. The token is intentionally redacted from this public IIM chain because the source states it remains valid from 2026-03-19 to 2027-03-19. |
ATT&CK annotations
optional complementary mappingRaw IIM JSON canonical body from MANTIS expand
{
"actor_id": "unknown",
"attack_annotations": [
{
"name": "Spearphishing Attachment",
"tactic": "Initial Access",
"technique_id": "T1566.001"
},
{
"name": "Malicious File - User Execution",
"tactic": "Execution",
"technique_id": "T1204.002"
},
{
"name": "PowerShell",
"tactic": "Execution",
"technique_id": "T1059.001"
},
{
"name": "Visual Basic",
"tactic": "Execution",
"technique_id": "T1059.005"
},
{
"name": "DLL Side-Loading",
"tactic": "Defense Evasion",
"technique_id": "T1574.002"
},
{
"name": "Web Service - Dead Drop Resolver",
"tactic": "Command and Control",
"technique_id": "T1102.001"
},
{
"name": "Encrypted Channel",
"tactic": "Command and Control",
"technique_id": "T1573"
},
{
"name": "Ingress Tool Transfer",
"tactic": "Command and Control",
"technique_id": "T1105"
},
{
"name": "Exfiltration Over C2 Channel",
"tactic": "Exfiltration",
"technique_id": "T1041"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T024"
]
},
{
"entity_id": "e002",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e003",
"role": "entry",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e004",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e005",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e006",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e007",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e008",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e009",
"role": "payload",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e010",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e011",
"role": "payload",
"role_confidence": "confirmed",
"techniques": []
},
{
"entity_id": "e012",
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T002",
"IIM-T006",
"IIM-T013",
"IIM-T018"
]
},
{
"entity_id": "e013",
"role": "c2",
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"techniques": [
"IIM-T002",
"IIM-T018"
]
},
{
"entity_id": "e014",
"review_notes": "Configuration artifact used for C2 authentication; token value redacted.",
"role": "staging",
"role_confidence": "confirmed",
"techniques": []
}
],
"chain_id": "seqrite.2026.operation-dragon-weave-azureveil-azure-blob-c2",
"confidence": "confirmed",
"description": "IIM chain for Seqrite Operation Dragon Weave, published 2026-05-29. The campaign targets Czech Republic and Taiwan using a spearphishing ZIP with two delivery paths. Path A uses a PDF-masquerading LNK to launch empty.vbs and Profile.ps1, which decrypts 1.dat into RuntimeBroker_update.exe and prepares UnityPlayer.dll plus Com.dat. Path B uses a Rust executable dropper to extract the same sideloading components. Both paths converge on RuntimeBroker_update.exe loading malicious UnityPlayer.dll (RUSTCLOAK), which decrypts Com.dat and executes AZUREVEIL, an Adaptix C2 agent. AZUREVEIL uses Microsoft Azure Blob Storage as dead-drop style C2 through note1ggbbhggdwa1.blob.core.windows.net and the /note/ats/ blob path pattern.",
"entities": [
{
"evidence": [
"Seqrite states that the attack begins with a ZIP attachment and that extracted contents include multiple files forming a structured infection chain.",
"The report identifies geographic targeting of Czech Republic and Taiwan and shows region-specific lure material."
],
"id": "e001",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "spearphishing ZIP attachment containing Taiwan/Czech lure artifacts",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite identifies this shortcut file inside the extracted ZIP and states that it masquerades as a PDF document.",
"SHA-256: 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447"
],
"id": "e002",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "計畫申請審查結果通知單.pdf.lnk",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite describes this Rust-compiled executable as the alternate self-contained dropper path; it extracts required components and launches RuntimeBroker_update.exe.",
"SHA-256: 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4"
],
"id": "e003",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "_計畫申請審查結果通知單.exe",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"The LNK path passes .\\data\\empty.vbs to wscript.exe; Seqrite describes the VBS as a small bridge to launch Profile.ps1.",
"SHA-256: a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a"
],
"id": "e004",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "data\\empty.vbs",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite states that Profile.ps1 reads 1.dat, decrypts it with hardcoded key P@ssw0rd_am_2026, writes RuntimeBroker_update.exe, moves UnityPlayer.dll and Com.dat, then executes RuntimeBroker_update.exe.",
"SHA-256: 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de"
],
"id": "e005",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "data\\Profile.ps1",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite describes 1.dat as an XOR-encrypted container that becomes RuntimeBroker_update.exe after Profile.ps1 decryption.",
"SHA-256: 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574"
],
"id": "e006",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "data\\1.dat encrypted RuntimeBroker_update.exe container",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite states both execution paths converge when RuntimeBroker_update.exe runs and causes Windows to load UnityPlayer.dll from the same folder.",
"SHA-256: 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15"
],
"id": "e007",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "RuntimeBroker_update.exe sideload trigger executable",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite states that the executable-based path drops BrowserViewUtility.exe as a legitimate executable used for sideloading.",
"SHA-256: 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1"
],
"id": "e008",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "BrowserViewUtility.exe legitimate sideload host",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite names the malicious UnityPlayer.dll as RUSTCLOAK, a Rust-based loader responsible for continuing the execution chain and preparing the final payload.",
"SHA-256: 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192"
],
"id": "e009",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "UnityPlayer.dll / RUSTCLOAK Rust loader",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite states that RUSTCLOAK reads Com.dat and processes it through custom RC4, Base64 decoding, and SM4-CBC decryption before in-memory execution.",
"SHA-256: 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4"
],
"id": "e010",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "Com.dat encrypted AZUREVEIL payload container",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite identifies the final payload as AZUREVEIL, a 64-bit DLL and fully featured Adaptix C2 agent.",
"SHA-256: 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe"
],
"id": "e011",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "AZUREVEIL Adaptix C2 agent",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite publishes note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net as the Azure Blob Storage C2 endpoint.",
"The report states that AZUREVEIL communicates entirely through Microsoft Azure Blob Storage rather than a traditional C2 server."
],
"id": "e012",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "domain",
"value": "note1ggbbhggdwa1.blob.core.windows.net",
"x_defanged": "note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite describes the Azure storage setup as container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin with Agent ID 345831bc.",
"AZUREVEIL uploads beacons, retrieves commands, and uploads encrypted results through this Azure Blob path pattern."
],
"id": "e013",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "url",
"value": "https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin",
"x_contains_template_variables": true,
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
},
{
"evidence": [
"Seqrite reports that encrypted_blob contains a hardcoded Shared Access Signature token used to authenticate operations on the Azure storage account.",
"The token is intentionally redacted from this public IIM chain because the source states it remains valid from 2026-03-19 to 2027-03-19."
],
"id": "e014",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Seqrite: Operation Dragon Weave, 2026-05-29",
"type": "file",
"value": "encrypted_blob configuration with hardcoded Azure SAS token (redacted in this IIM chain)",
"x_redaction_reason": "Public chain avoids republishing an operational cloud SAS token even though the original report includes it.",
"x_reference_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
}
],
"iim_version": "1.1",
"import_source": "manual-osint-report-to-iim-conversion",
"needs_review": false,
"observed_at": "2026-05-29T00:00:00Z",
"relations": [
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 1,
"to": "e002",
"type": "references",
"x_evidence": "Seqrite lists the LNK inside the ZIP contents."
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 2,
"to": "e003",
"type": "references",
"x_evidence": "Seqrite lists the Rust executable inside the ZIP contents as an alternate execution path."
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 3,
"to": "e004",
"type": "references",
"x_evidence": "Seqrite lists empty.vbs inside the data folder."
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 4,
"to": "e005",
"type": "references",
"x_evidence": "Seqrite lists Profile.ps1 inside the data folder."
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 5,
"to": "e006",
"type": "references",
"x_evidence": "Seqrite lists 1.dat inside the data folder."
},
{
"confidence": "confirmed",
"from": "e001",
"sequence_order": 6,
"to": "e010",
"type": "references",
"x_evidence": "Seqrite lists Com.dat inside the data folder."
},
{
"confidence": "confirmed",
"from": "e002",
"sequence_order": 7,
"to": "e004",
"type": "execute",
"x_evidence": "LNK executes wscript.exe with .\\data\\empty.vbs as argument."
},
{
"confidence": "confirmed",
"from": "e004",
"sequence_order": 8,
"to": "e005",
"type": "execute",
"x_evidence": "empty.vbs launches Profile.ps1 using PowerShell with execution policy bypass."
},
{
"confidence": "confirmed",
"from": "e005",
"sequence_order": 9,
"to": "e006",
"type": "references",
"x_evidence": "Profile.ps1 reads and decrypts 1.dat."
},
{
"confidence": "confirmed",
"from": "e005",
"sequence_order": 10,
"to": "e007",
"type": "drops",
"x_evidence": "Profile.ps1 writes decrypted 1.dat to RuntimeBroker_update.exe and executes it."
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 11,
"to": "e008",
"type": "drops",
"x_evidence": "The Rust executable drops BrowserViewUtility.exe as a sideload host."
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 12,
"to": "e009",
"type": "drops",
"x_evidence": "The Rust executable drops malicious UnityPlayer.dll / RUSTCLOAK."
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 13,
"to": "e014",
"type": "drops",
"x_evidence": "Seqrite states the executable drops encrypted_blob containing the Azure SAS token."
},
{
"confidence": "confirmed",
"from": "e003",
"sequence_order": 14,
"to": "e007",
"type": "drops",
"x_evidence": "The Rust executable drops and launches RuntimeBroker_update.exe."
},
{
"confidence": "confirmed",
"from": "e007",
"sequence_order": 15,
"to": "e009",
"type": "execute",
"x_evidence": "RuntimeBroker_update.exe loads malicious UnityPlayer.dll from the same folder."
},
{
"confidence": "confirmed",
"from": "e009",
"sequence_order": 16,
"to": "e010",
"type": "references",
"x_evidence": "RUSTCLOAK reads encrypted payload Com.dat for layered decryption."
},
{
"confidence": "confirmed",
"from": "e009",
"sequence_order": 17,
"to": "e011",
"type": "execute",
"x_evidence": "RUSTCLOAK decrypts the in-memory PE that Seqrite identifies as AZUREVEIL and transfers execution to it."
},
{
"confidence": "confirmed",
"from": "e014",
"sequence_order": 18,
"to": "e012",
"type": "references",
"x_evidence": "encrypted_blob contains the SAS token used to authenticate operations on the Azure Blob storage account."
},
{
"confidence": "confirmed",
"from": "e011",
"sequence_order": 19,
"to": "e012",
"type": "communicates-with",
"x_evidence": "Seqrite observed AZUREVEIL using note1ggbbhggdwa1.blob.core.windows.net for C2."
},
{
"confidence": "confirmed",
"from": "e012",
"sequence_order": 20,
"to": "e013",
"type": "references",
"x_evidence": "Seqrite publishes the container /note/ats/ and blob format {agent_id}/{timestamp1}_{timestamp2}.bin."
}
],
"title": "Operation Dragon Weave: ZIP/LNK or Rust dropper to RUSTCLOAK, AZUREVEIL, and Azure Blob Storage C2",
"x_iocs": {
"domains": [
"note1ggbbhggdwa1.blob.core.windows.net"
],
"sha256": [
"096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447",
"1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4",
"080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192",
"5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1",
"61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15",
"24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4",
"02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e",
"8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9",
"047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574",
"a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a",
"823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de",
"783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0"
],
"url_patterns": [
"https://note1ggbbhggdwa1.blob.core.windows.net/note/ats/{agent_id}/{timestamp1}_{timestamp2}.bin"
]
},
"x_limitations": [
"Seqrite does not publish the original spearphishing sender, mail headers, or exact ZIP filename in text; these are not modeled as concrete IoCs.",
"The Azure SAS token is redacted in this IIM chain because the report states it remains valid until 2027-03-19.",
"Endpoint-only behaviors such as sandbox checks, Windows fibers, process discovery, and BOF execution are captured as ATT&CK annotations/evidence, not as IIM techniques."
],
"x_publication_safety": "Published as TLP:CLEAR-style OSINT chain derived only from public Seqrite reporting; operational SAS token not republished.",
"x_resource_links_verified": true,
"x_selection_reason": "Strong IIM fit: region-specific spearphishing, archive delivery, dual-path staging, loader chain, and trusted-cloud Azure Blob Storage dead-drop C2.",
"x_source": "Seqrite APT Team",
"x_source_title": "Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2",
"x_source_url": "https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/",
"x_source_urls": [
"https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/"
]
}