China-linked actors use Azure Blob to target Czech, Taiwan

China-aligned actors used Operation Dragon Weave spear-phishing to deliver an AdaptixC2 implant identified as AZUREVEIL via Microsoft Azure Blob Storage. Targets included government, research, academic, technology and financial-sector users in Czechia and Taiwan.

Seqrite Labs, which discovered the campaign, reported the actors sent spear-phishing emails with ZIP attachments that contained files designed to start a multi-stage infection chain. One infection path used a Windows shortcut (LNK) disguised as a PDF to run a PowerShell script that extracted and launched an executable. In the other path a binary inside the archive ran directly. Both routes produced a Windows binary named RuntimeBroker_update.exe and loaded a malicious UnityPlayer.dll by DLL side-loading to deploy a Rust-based loader called RUSTCLOAK.

Priya Patel at Seqrite Labs described the archive contents as deceptive: “When extracted, the archive contains multiple files that appear legitimate but are actually part of a structured infection chain designed to execute malicious payloads in the background.” The loader performs anti-analysis checks and proceeds only when it determines it is not running in a sandbox. After those checks, RUSTCLOAK decrypts and launches the main payload, the AdaptixC2 implant dubbed AZUREVEIL because it uses Azure Blob Storage for command-and-control.

Seqrite Labs noted AZUREVEIL uses a dead-drop technique: the compromised host and the operator read and write data in the same Azure storage container rather than communicating directly. “The malware just talks to Azure Blob Storage, the same service used by thousands of legitimate enterprises worldwide,” Seqrite Labs explained. The implant supports 36 commands for file operations and transfers, shell command execution, process enumeration and termination, port forwarding and SOCKS proxy control, management of C2 servers, and in-memory execution of Beacon Object Files.

Attribution to China-aligned actors is based on tooling and infrastructure patterns. Cato Networks detected and blocked a related intrusion attempt aimed at an Indian branch of a global manufacturer that would have delivered TencShell, a previously undocumented Go-based implant derived from the open-source rshell framework. Researchers Idan Tarab, Dr. Guy Waizel, Zohar Buber and Shani Kurtzberg noted TencShell could enable remote command execution, in-memory payload execution, proxying and pivoting, system profiling, and staging of additional tools.

ESET reported sustained activity by China-aligned groups between October 2025 and March 2026, documenting clusters including SteppeDriver and a toolkit called PhiliKit linked to UNC5221, and describing NegativeGlimmer as overlapping with a group tracked as TGR-STA-1030. Earlier cases involved DLL side-loading via spear-phishing to deliver AdaptixC2 alongside decoy documents; later campaigns swapped in Cobalt Strike and affected victims in Panama, Cambodia and South Korea.

Security teams are advised to monitor unusual access patterns to Azure storage containers, watch for unexpected executable activity after opening archive contents, and detect or block malicious loaders and DLL side-loading techniques.