Cybersecurity researchers say they found a fresh cyber espionage setup; it’s called Operation Dragon Weave, and it seems to be going after a mix of places like government agencies, research institutions, tech orgs, financial entities, and even academic groups both in Taiwan and the Czech Republic. From what they can tell, the activity is likely tied to China-aligned threat actors, and it’s mainly about intelligence gathering plus staying inside victim networks for a long time, quietly, almost like it is just waiting.
The researchers report the whole thing starts with spear-phishing emails that are pretty carefully made, and the messages include ZIP attachments. Once the ZIP is opened, it kicks off a multi-step infection chain meant to install malicious code under the radar while also looking plausibly normal to the person receiving it.
One of the ways they described uses a malicious Windows shortcut file that’s dressed up as a PDF. So when it’s opened, it runs hidden scripts that pull out additional malware pieces, and then they get launched. A second path is simpler in a sense, because victims may just end up running a malicious file that sits inside the archive directly. In the end, both routes funnel into the same outcome, which is the deployment of a pretty advanced malware framework built for remote control and stealing data.
For the last stage, the team says the final payload is an AdaptixC2-based implant. This implant helps attackers take over compromised systems, gather sensitive information, and keep persistence inside the targeted environments. They also mention that the malware uses cloud-based infrastructure to talk to its command and control servers, so defenders have a harder time spotting what’s going on.
The campaign also folds in advanced evasion techniques, including anti-analysis checks that try to figure out whether the malware is running inside a sandbox or some security testing environment. If analysis is spotted, the malware can tweak its conduct to reduce exposure.
The discovery arrives while broader chatter suggests China-linked threat groups stayed pretty active through late 2025, early 2026. Researchers say they have seen several campaigns aimed at government entities, critical infrastructure, defense organizations, and also technology companies across Europe, Asia, and South America.
Security experts point out that today’s cyber espionage efforts increasingly lean on real cloud services, DLL side-loading methods, and custom-built malware loaders. The whole thing is meant to slip past older security barriers, so attribution and even detection gets much harder for defenders.
Organizations are told to improve email security, watch for odd file execution behavior, roll out endpoint detection tools, and keep running phishing awareness training for staff. Early detection still matters a lot since espionage-oriented intrusions can otherwise gain a foothold inside corporate networks, and government environments too.
Cybersecurity-focused groups like IntelligenceX keep stressing threat intelligence, proactive monitoring, and stronger detection features, especially as state-sponsored cyber operations keep becoming more discreet, more complex, and harder to catch.
Top comments (0)