What Happened
Researchers at Seqrite disclosed Operation Dragon Weave, a China-aligned cyber espionage campaign targeting government officials, citizens, and institutions in the Czech Republic and Taiwan. The campaign delivers AZUREVEIL, a fully featured AdaptixC2 post-exploitation agent with 36 commands, via spear-phishing emails with ZIP attachments. A Rust loader handles initial execution, drops the C2 agent, and establishes persistence.
The campaign’s defining technical feature is its use of Microsoft Azure Blob Storage as a dead-drop resolver for C2 communications. The implant does not connect to attacker-controlled infrastructure directly — it retrieves its actual C2 server address from a file hosted on a legitimate Azure URL. This approach bypasses network-layer controls that block connections to known malicious infrastructure and abuses a trusted cloud platform to hide the campaign’s actual footprint. Targeted sectors include government, research institutions, academic organizations, technology companies, and financial services. The earliest known sample surfaced from Taiwan in March 2026. Source: The Hacker News.
Why This Matters for Canadian Organizations
Canada is a Five Eyes member, a NATO partner, and maintains deep research and diplomatic ties with both the Czech Republic and Taiwan. China-aligned APT campaigns targeting NATO and Five Eyes-adjacent governments consistently extend to Canadian federal departments, Crown corporations, and defence contractors. Canadian Security Intelligence Service and the Canadian Centre for Cyber Security (CCCS) have documented China-linked threat actors targeting Canadian government networks, universities, and research institutions on multiple occasions.
The tactic of using Azure Blob Storage as a C2 relay is particularly relevant for Canadian defenders because Microsoft Azure is widely used across Canadian government and enterprise. Network monitoring rules and firewall policies blocking generic cloud storage traffic are unlikely to flag Azure-hosted content, especially when the initial connection appears to be legitimate document retrieval. Security teams need detection logic that looks at behavioral indicators — such as a process retrieving a URL from Azure and then initiating an outbound connection to a newly resolved IP — rather than relying solely on domain blocklists.
Canadian universities and research institutions, particularly those working on sensitive technology sectors, represent a high-value target for China-aligned espionage. Intellectual property theft, credential harvesting, and long-term persistent access for strategic intelligence collection are consistent objectives across campaigns of this type.
What to Do
Review spear-phishing defenses, including email gateway controls for ZIP attachments and sandboxing of unknown executables. Implement behavioral detection for processes retrieving remote configuration files from Azure Blob Storage or other cloud object storage services before initiating new outbound network connections. Audit logs for any AdaptixC2 indicators of compromise published alongside the Seqrite research. Canadian federal departments and defence contractors should cross-reference threat intelligence with CCCS advisories on China-linked actors. Treat any spear-phishing email using region-specific lures targeting government or research personnel as a high-priority incident for investigation.
