preloader

· security espionage azure europe malware threat-intelligence

Operation Dragon Weave: China-Linked Espionage Campaign Hits Czech Republic Using Azure Blob Storage as Covert Command-and-Control

Source: Seqrite

A new threat intelligence report published by Seqrite on June 1, 2026 documents a China-linked espionage campaign that has been actively targeting organisations in the Czech Republic and Taiwan. Researchers named the campaign Operation Dragon Weave based on the threat actor’s infrastructure and tradecraft. The campaign is notable for two reasons: its targeting of an EU member state’s government and research sectors, and its novel use of Microsoft Azure Blob Storage as a command-and-control channel designed to evade network-level detection.

Who is being targeted

The campaign’s targets span several sectors in the Czech Republic: government bodies, research institutions, academic organisations, technology companies, and financial services firms. Taiwan is targeted across a similar profile, with an emphasis on technology and government organisations.

The Czech Republic is a NATO member and EU member state with significant defence and aerospace research capacity. It has been a documented target for Chinese state-aligned espionage operations in previous years, and NUKIB – the Czech national cybersecurity authority – has issued warnings about Chinese cyber activity directed at the country’s research and critical infrastructure sectors.

How the attack unfolds

The infection chain begins with spear-phishing emails containing ZIP attachments. The files inside the archive are crafted to closely mimic official communications specific to Czech and Taiwanese government contexts – a level of customisation that indicates the threat actors have researched their targets carefully and are operating with prior knowledge of the documents and formats those organisations use internally.

Opening the attachment triggers a Rust-based loader component. Rust has become increasingly favoured among sophisticated threat actors because compiled Rust binaries are difficult to reverse-engineer and tend to generate fewer signature matches against common malware detection tools than C or C++ equivalents.

The Rust loader’s primary function is to install AZUREVEIL – the campaign’s custom backdoor and the component that makes Operation Dragon Weave technically distinctive.

AZUREVEIL: using Azure Blob Storage as a dead drop

AZUREVEIL is built on the open-source AdaptixC2 framework and has 36 documented post-exploitation commands covering data exfiltration, file operations, process injection, credential harvesting, and remote control. What sets it apart from conventional C2 implementations is how it communicates with the attacker.

Rather than establishing direct network connections from the infected machine to attacker-controlled servers – a pattern that perimeter firewalls and network detection tools are designed to catch – AZUREVEIL uses Microsoft Azure Blob Storage as a shared dead drop. The infected machine and the attacker never communicate directly with each other. Instead, both sides read from and write to the same Azure storage container. The attacker deposits commands into a blob object; the implant reads the blob, executes the command, writes the result back into another blob; the attacker retrieves the output.

From the perspective of the victim organisation’s network monitoring tools, all of this traffic looks like legitimate Azure Blob Storage API calls, using valid Azure endpoints over HTTPS. There is no unusual domain, no suspicious IP address, and no anomalous protocol. The traffic is indistinguishable from an employee or application using Azure storage in the normal course of operations.

This is a sophisticated application of a technique sometimes called “living off trusted sites” – using legitimate, high-reputation cloud infrastructure as the communication channel rather than building dedicated C2 infrastructure. It is considerably harder to block than traditional C2 because blocking Azure Blob Storage entirely would break legitimate business processes for most organisations.

The broader pattern: cloud services as C2 infrastructure

Operation Dragon Weave is the latest in a series of campaigns that have used major cloud platforms’ storage or messaging services as C2 infrastructure. Previous examples have used Google Docs, Dropbox, OneDrive, and Slack as C2 channels through similar dead-drop techniques.

The implication for detection and response is that blocking known-malicious IP addresses and domain reputation feeds – the foundation of most network-based threat detection – is insufficient against this class of attack. Detection requires behavioural analysis: identifying anomalous patterns of Azure Blob Storage access, unusual outbound call frequency, access from processes that should not be making cloud storage calls, or access to storage containers that do not match the organisation’s known infrastructure.

This is exactly the kind of threat that ENISA’s NIS360 2026 report identified as an emerging capability gap: organisations with perimeter-focused detection that have not invested in behavioural analytics and endpoint-based telemetry are effectively blind to this technique.

What organisations in Europe should do

Several detection and hardening measures are relevant for European organisations concerned about this threat class:

Audit Azure Blob Storage access from endpoints. If endpoints in your organisation are accessing Azure Blob Storage directly, particularly processes that have no business reason to do so, that is an indicator worth investigating. Microsoft Defender for Endpoint and Sentinel can be configured to alert on unusual storage access patterns.

Monitor for Rust-compiled process execution. AZUREVEIL’s loader is Rust-compiled. Endpoint detection platforms that perform process telemetry can identify binaries compiled with Rust-specific signatures executing from temporary directories or spawning suspicious child processes.

Review your spear-phishing defences. Operation Dragon Weave enters through email. Attachment sandboxing, macro and script execution controls, and user awareness training for ZIP-based phishing remain the most effective early controls in the kill chain.

Apply Zero Trust network segmentation to cloud service access. Consider which workstations and servers actually need direct internet access to cloud storage APIs. Routing outbound cloud API calls through a proxy with inspection and logging removes the transparency advantage the dead-drop technique depends on.

Report to NUKIB or your national CSIRT. If you are a Czech organisation and observe indicators consistent with this campaign, NUKIB has a dedicated reporting channel for incidents of this type. Early reporting supports the collective intelligence picture and may provide access to campaign-specific indicators not yet public.

The Seqrite report includes technical indicators of compromise including file hashes, blob container naming patterns, and AZUREVEIL behavioural signatures. Network defenders should import these into their detection tooling immediately.

If you want to assess whether your organisation’s current detection capabilities would identify Azure Blob Storage dead-drop C2 activity, review your endpoint telemetry coverage, or design a Zero Trust architecture that removes the network visibility blind spots this technique exploits, contact Excello Digital. We help European organisations build security programmes designed for the adversary techniques being used against them today – not the ones from five years ago.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!