Hackers Deploy AZUREVEIL Adaptix Agent Spearphishing
A new spearphishing campaign has emerged, operating with notable stealth. Its targets include government officials, researchers, and technology workers across the Czech Republic and Taiwan. Threat...
A new spearphishing campaign has emerged, operating with notable stealth. Its targets include government officials, researchers, and technology workers across the Czech Republic and Taiwan.
Threat researchers traced the operation to a China-linked threat actor, with the earliest known sample surfacing from Taiwan in March 2026.
The campaign, named Operation Dragon Weave, delivers a sophisticated multi-stage attack chain that ultimately drops a powerful remote access tool designed to blend seamlessly into trusted cloud infrastructure.
The attack begins with a ZIP archive delivered via email, containing files carefully engineered to look like legitimate government communications.
File names are written in Traditional Chinese, and one decoy document closely mimics an official appointment notice from the Czech Social Security Administration, complete with a scheduled date and a reference to the official government website.
The level of detail embedded in these lures points strongly to a well-resourced, targeted, and highly deliberate espionage operation against specific regions.
Analysts at Seqrite, the cybersecurity firm that identified and investigated this campaign, noted the use of two separate delivery paths contained within a single archive.
Either path a victim takes, a malicious shortcut file or a Rust-compiled executable, ultimately leads to the very same final payload.
Seqrite said in a report shared with Cyber Security News (CSN) that the attack is structured so that each component quietly passes control to the next without raising any visible alerts on the victim’s screen.
Once the infection chain completes, a Rust-based loader known as RUSTCLOAK takes over and decrypts the final payload through a triple-layer process involving modified RC4, Base64 decoding, and AES-CBC encryption.
RUSTCLOAK also checks whether it is running inside a sandbox environment by comparing the machine name against a hardcoded list of over 100 known analysis system names, exiting silently if a match is found.
The final payload, AZUREVEIL, is a fully functional Adaptix command-and-control agent compiled as a 64-bit DLL.
Rather than communicating with a traditional C2 server, it routes all activity through Microsoft Azure Blob Storage, making its traffic nearly indistinguishable from normal enterprise cloud usage.
Hackers Deploy AZUREVEIL Adaptix C2 Agent
AZUREVEIL uses what researchers call a dead-drop resolver approach, meaning the attacker and the infected system never communicate directly with each other.
Both sides interact with the same Azure storage container, where the attacker places commands as encrypted blobs and collects results from that shared location.
This approach makes network-level detection significantly harder, since all traffic appears as routine Azure cloud activity to security monitoring tools.
The agent supports 36 post-exploitation commands covering file operations, shell execution, process listing, port forwarding, and running Beacon Object Files entirely in memory without touching disk. AZUREVEIL resolves around 87 Windows APIs at runtime using a djb2-based hashing method.
A hardcoded Shared Access Signature token found inside the configuration grants full read, write, and delete access, valid from March 2026 to March 2027, suggesting the attacker planned for extended access.
Multi-Stage Infection Chain and Infrastructure Abuse
The infection runs through four stages, each silently handing control to the next. Stage one uses either a malicious LNK shortcut or a Rust-based dropper. Stage two involves a VBScript and PowerShell chain that decrypts and drops the RuntimeBroker_update.exe binary.
Stage three activates RUSTCLOAK through DLL sideloading using a file called UnityPlayer.dll. Stage four launches AZUREVEIL directly in memory, leaving almost nothing behind on disk for investigators to find.
A notable operational slip was also uncovered during analysis. A Rust build path containing the Windows username “dell2” was left embedded inside the RUSTCLOAK binary as plaintext, which could assist future attribution efforts.
Organizations should monitor outbound HTTPS traffic to blob.core.windows.net for unusual patterns, enforce strict execution policies for PowerShell and VBScript, and disable LNK file execution from within compressed archives.
Deploying endpoint detection tools capable of identifying in-memory code execution is also strongly recommended. Government bodies and research institutions located in geopolitically sensitive regions should apply extra scrutiny to any unexpected file attachments received via email.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 0963725d19b478a7e9b89f44e04c5ecc29b85aa9c2bb9eba66662bd608ab9ee5ea55c274915 0fee0969b65ede4a375 4e8bd60b80ab9bcb2b8cebda1add0025 4d2b2f74336d47b5a17dad77 24d48de9cda ae2d042d32323c2b5ed14c2b7f7433a1a1 72dd6b669874136fcd0f4 | RuntimeBroker_update.exe (RUSTCLOAK DLL sideloading executable) |
| SHA-256 | 24aa4e7b0ccd66cef13da9ef9bc3294105 cf2a32ec64 3idae0bada01aa0254 a249b3bd6bd627c958 afae07b2a36f74252aa7abce6a7b 74136d1 9195 7363474b379c2 e25a15629 5bc58cfda0bc9ccb9c e3b96b0c9f96b36 32aa66e18b7aada9 b0af40d b691749 7b3991399ddf 5a7db0b0 4ddd 0c6dd0d7d77b2a7e9c9cGE1b | UnityPlayer.dll (RUSTCLOAK / Rust-based loader) |
| SHA-256 | 24da4e7b8accd6 6cef13 da9ef9b c3294 10 5cf2a32 ec643id ae0ba da01 aa0 254a249 b3bd 6bd627 c95 8afae07b2 a36f74 252aa 7abce6a7 b74136d195 73634 74b379c 2e25 a1562 95bc58 cfda0 bc9ccb9ce3b96b0c 9f96 b36 32aa66 e18b7a ada9b0a f40db6 91749 7b39 91399ddf5a7 db0b04ddd0c6 dd0d7 d77b2a7 | ZIP archive (initial delivery container) |
| Network Indicator | note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net | Azure Blob Storage C2 endpoint used by AZUREVEIL |
| File Name | RuntimeBroker_update.exe | Legitimate-looking executable used for DLL sideloading |
| File Name | UnityPlayer.dll | Malicious DLL containing RUSTCLOAK loader |
| File Name | Profile.ps1 | PowerShell script responsible for XOR decryption and payload execution |
| File Name | empty.vbs | VBScript launcher triggering PowerShell execution chain |
| File Name | 1.dat | XOR-encrypted container holding RuntimeBroker_update.exe |
| File Name | Com.dat | Encrypted payload container holding AZUREVEIL |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.