top of page

Chinese APT Group's Cloud Storage Exploitation: Inside Operation Dragon Weave's Financial Sector Espionage

  • Jun 4
  • 4 min read

Key Findings


  • Two major cyber espionage campaigns have targeted high-profile victims using cloud infrastructure and legitimate services to avoid detection

  • Operation Dragon Weave uses multi-stage infection tactics with dual execution pathways to deploy AZUREVEIL, an advanced remote access agent

  • A separate campaign compromised a stock exchange executive's Outlook account for 150 days, stealing complete mailbox contents through incremental exfiltration

  • Both operations weaponize legitimate cloud platforms (Azure Blob Storage, Dropbox, OneDrive) as command-and-control channels to blend malicious traffic with normal enterprise communications

  • Target organizations span international locations including Czech Republic, Taiwan, and unnamed financial institutions

  • Attribution remains difficult due to use of public tools, infrastructure reuse avoidance, and operational discipline suggesting state-level actors


Background


Security researchers have uncovered two distinct but similarly sophisticated cyber espionage operations targeting high-profile institutions. The Seqrite APT Team discovered Operation Dragon Weave while monitoring public threat databases, revealing a campaign that combines technical sophistication with operational patience. Meanwhile, Broadcom's Symantec and Carbon Black teams investigated a separate incident at a major global stock exchange. Both campaigns demonstrate how modern threat actors prioritize stealth and persistence over rapid exploitation, using legitimate cloud services to mask their activities within normal network traffic.


Operation Dragon Weave: Multi-Path Infection Tactics


The campaign begins when victims download a malicious compressed archive containing various supportive files. The attackers designed two independent execution pathways to accommodate different user behaviors. This redundancy increases success rates while maintaining operational flexibility.


Path A involves a deceptive shortcut file masquerading as a standard PDF document. When users double-click the file, a hidden script unpacks core components from an encrypted data container. Path B takes a different approach using a standalone dropper built with Rust programming language, which handles all extraction internally to eliminate external file dependencies and reduce detection surface.


Both pathways ultimately converge on a malicious executable named RuntimeBroker_update.exe that runs automatically in the system background. The operating system's normal processes provide cover for the malware's execution.


Sideloading and RUSTCLOAK Deployment


Once active, RuntimeBroker_update.exe leverages classic DLL sideloading to hijack legitimate system processes. This technique successfully drops an intermediate loader called RUSTCLOAK onto the target device. The malware hides in plain sight by using legitimate Windows binaries as containers for malicious code.


RUSTCLOAK implements severe defensive scripts to protect its core binary logic before executing any malicious functions. The loader performs exhaustive environment verification checks, querying the local host system configuration to harvest active machine names. It cross-references these findings against an embedded database containing over 100 sandbox indicators. If the malware detects an automated sandbox network, it terminates immediately, keeping the infection hidden from automated endpoint scanners.


Complex Decryption and Payload Delivery


The loader implements a triple-layer decryption routine to extract the final payload, combining custom RC4 operations, Base64 decoding, and advanced SM4-CBC algorithms. Once unpacking concludes, the tool allocates memory via standard Windows virtual memory APIs while avoiding noisy tracking threads that might trigger endpoint alerts.


Instead of creating suspicious threads, the loader deploys unique Windows fibers to transfer execution to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM, leaving minimal forensic evidence on disk.


AZUREVEIL: Dead-Drop C2 Channel Architecture


The primary payload deployed by Operation Dragon Weave is AZUREVEIL, a mature advanced management agent. Rather than establishing conventional external servers, the operators built a customized dead-drop C2 channel entirely within legitimate cloud platforms. The system uses public storage spaces to pass encrypted commands and exfiltrated files safely.


This infrastructure selection makes blocking incredibly difficult for network defenders because the traffic looks exactly like regular enterprise web communications traveling to Microsoft servers. According to Seqrite analysis, the malware blends its traffic with regular cloud activity, making detection substantially harder.


Post-Exploitation Capabilities


Once the dead-drop channel establishes a connection, threat actors gain wide-ranging operational authority. Security analysts verified 36 individual command handlers hardcoded inside the central DLL agent. These features allow attackers to execute filesystem changes, manipulate running processes, and forward ports. Operators can pull down secondary files or exfiltrate sensitive local documents seamlessly.


The agent contains a specialized Beacon Object File parsing engine that runs compiled C scripts inside local host memory without touching physical disks, further reducing detection opportunities.


Stock Exchange Executive Account Compromise


In a separate campaign, attackers spent approximately 150 days silently stealing emails from a senior executive's Outlook account at a major global stock exchange, operating from October 2025 through March 2026. The attackers gained SYSTEM-level privileges on the host machine before active operations began, disguising malicious binaries as Adobe Acrobat and OneDrive processes.


By quietly monitoring the mailbox, attackers collected sensitive information on negotiations, internal discussions, calendars, contacts, and travel plans. A senior executive's mailbox provides detailed intelligence on external negotiations, internal deliberations, and potentially market-moving events without requiring lateral movement across the network.


Incremental Mailbox Extraction


The operation centered on a wrapper built around Aspose, a legitimate commercial .NET library that parses Outlook mailbox files. The attacker converted the executive's OST file into PST archives and pushed them out in dated chunks, each covering a few weeks.


Eight extraction runs occurred at roughly two-to-four-week intervals through February 17, 2026. Each operation adjoined the previous window, creating a complete, near-continuous theft of the user's Outlook mailbox broken into incremental archives small enough to avoid triggering security software alerts.


Exfiltration Through Legitimate Services


Data moved through Dropbox and OneDrive Personal accounts to avoid suspicion, as both services appear in normal corporate traffic daily. The attacker hardcoded Microsoft IP addresses instead of hostnames for OneDrive calls, neatly bypassing DNS-based logging. This level of operational detail suggests experienced threat actors familiar with enterprise security monitoring.


Persistence Through Scheduled Task Rotation


The attackers maintained constant persistence by re-registering scheduled tasks every few weeks under names mimicking Adobe, Lenovo, and OneDrive services. Task intervals rotated between 5-minute, 5-hour, 15-hour, and 24-hour windows, with each new registration overwriting the previous one to keep the footprint minimal.


On February 27, a new binary appeared masquerading as the OneDrive sync service, followed by another disguised as an Adobe driver component on March 19. The attacker refreshed their operational grip continuously until the campaign's conclusion.


Attribution Challenges


The identity of actors behind these campaigns remains unknown. The use of public tools, cloud infrastructure for both command-and-control and exfiltration, and deliberate avoidance of infrastructure tied to known threat groups make attribution extremely difficult. However, the technical sophistication, operational discipline, tight scope, and extreme patience involved suggest state-level involvement, particularly given the high-value targets involved.


Sources


  • https://securityonline.info/operation-dragon-weave-c2/

  • https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page