Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The campaign began with a ZIP attachment used to deliver malicious files and lure documents (‘spearphishing campaign targeting officials and citizens’).
• [T1204.002] Malicious File – User Execution – The infection required the victim to click the LNK or run the executable to start the chain (‘depending on which file the victim interacted with first’).
• [T1059.001] PowerShell – Profile.ps1 was launched through PowerShell to decrypt and drop the next-stage executable (‘launch Profile.ps1 using PowerShell’).
• [T1059.005] Visual Basic – empty.vbs acted as a small VBScript bridge to start the PowerShell stage (‘a very small VBScript with a single purpose’).
• [T1574.002] DLL Side-Loading – RuntimeBroker_update.exe loaded malicious UnityPlayer.dll from the same folder instead of the legitimate DLL (‘Windows loads the attacker’s DLL instead of the legitimate one’).
• [T1027] Obfuscated Files or Information – The campaign used XOR, RC4, Base64, and SM4 layers to hide payloads (‘multi-layer encryption used to protect the payload’).
• [T1497.001] Virtualization/Sandbox Evasion – RUSTCLOAK checked machine names against a list of sandbox and analyst systems before proceeding (‘checks whether it is running in a sandbox’).
• [T1083] File and Directory Discovery – AZUREVEIL can list directory contents and logical drives (‘List directory contents and logical drives’).
• [T1057] Process Discovery – AZUREVEIL can list running processes and named pipes (‘List running processes and named pipes’).
• [T1016] System Network Configuration Discovery – AZUREVEIL can enumerate network adapters and related details (‘Network adapter enumeration (MAC, IP, type)’).
• [T1082] System Information Discovery – The agent can retrieve system uptime and other host details (‘Retrieve system uptime’).
• [T1102.001] Web Service – Dead Drop Resolver – AZUREVEIL used Azure Blob Storage as a dead-drop C2 channel instead of a direct server (‘both sides use the same Azure storage container’).
• [T1573] Encrypted Channel – The agent exchanged encrypted beacons, commands, and results over HTTPS (‘uploads a small encrypted beacon’).
• [T1090] Proxy – The agent supported SOCKS proxy and port forwarding for pivoting (‘Port forwarding and SOCKS proxy control’).
• [T1105] Ingress Tool Transfer – The agent could drop files from C2 and queue file downloads to the victim (‘Drop files from C2 to the victim system’).
• [T1041] Exfiltration Over C2 Channel – Files and execution results were uploaded back through Azure Blob Storage (‘uploads the results back as encrypted blobs’).
• [T1055] Process Injection – The report maps this behavior to process injection in its MITRE mapping (‘Process injection’).
• [T1620] Reflective Code Loading – The in-memory loading of the final payload and BOF execution aligns with reflective loading behavior (‘loads a full executable in memory’).