INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
China Uses Dual-Method Cyberattack on Czech Orgs
| 2026-06-02 19:50 CRITICAL LOWExecutive Summary AI-generated
China's complex relationship with the Czech Republic has been a source of tension between the two nations, particularly given their close economic ties and historical alliance. The country's government has long maintained strong support for Taiwan, while China has expressed concerns over its allyship to the island nation. This perceived imbalance in relations could explain why China is targeting specific organizations in the Czech Republic, including those involved in data exfiltration, with a focus on well-defined verticals such as government and public sector, research and academia, technology and software, and financial services.
Technical Mitigations AI-generated
* Implement secure email practices, such as verifying the authenticity of attachments and links before opening them.
* Use anti-malware software that includes real-time protection and behavioral detection capabilities to detect and block suspicious activity.
* Regularly update operating systems, applications, and firmware to ensure that known vulnerabilities are patched.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Dragon WeaveOperation Dragon Weave
Tropic TrooperTropic Trooper
Target & Sectors
CENTRAL_ASIA
CENTRAL_ASIA
LATAM
LATAM
EUROPE
EUROPE
governmentgovernment
technologytechnology
Incident Timeline
2026/05/26
China used a spear-phishing campaign targeting Czech organizations with an email containing a zip file and instructions to open it.
Click on any entity below to view its context and source!
target_region
Czechia
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a
spear-phishing
campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one
Czech Republic
-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
tactic
Phishing
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a
spear-phishing
campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one
Czech Republic
-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
campaign
Operation Dragon Weave
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a
spear-phishing
campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one
Czech Republic
-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
organisation
Seqrite
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a
spear-phishing
campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one
Czech Republic
-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
organisation
the Czech Social Security Administration
That's according to security vendor Seqrite, which published research last week regarding "Operation Dragon Weave," a
spear-phishing
campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or, in the case of one
Czech Republic
-themed instance, an appointment with the Czech Social Security Administration (ČSSZ).
2026/06/02
China's cyberattack on the Czech Republic targets government and public sector organizations, using a dual-method approach that includes spear-phishing and conventional malware.
Click on any entity below to view its context and source!
organisation
APT
The Czech Connection: In China's Cyberattack Crosshairs
Seqrite attributed the campaign to China with moderate confidence, though the vendor stopped short of connecting it to a specific advanced persistent threat (APT) group.
infrastructure
Linux
Related:
Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
The contentious connection between China and Taiwan is well established, so a campaign like this would come as no surprise.
organisation
ESET
This would perhaps explain China's interest in the Czech Republic as a potential cyber target, according to Alexis Rapin, cyber threat analyst at ESET.
organisation
PDF
How China's 2-Pronged Attack Works
The zip file attached to the spear-phishing email contains multiple files, including an executable that opens a decoy PDF containing plausible information, such as instructions on what to do during the day of the purported ČSSZ appointment.
organisation
LNK
The primary way the infection starts is through clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components; it then executes them through a file named RuntimeBroker_update.exe.
threat_actor
Tropic Trooper
Related:
Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets
However, if the victim opens up that initial aforementioned executable, the file also "acts as a self-contained Rust-based dropper that extracts all required components on its own and then launches the same RuntimeBroker_update.exe," according to
the Seqrite blog post
.
organisation
DLL
RuntimeBroker_update.exe loads a malicious DLL which executes a Rust-based loader tracked as "Rustcloak."
data_breach
124 bytes
Related:
Africa Relinquishes Cyberattack Lead to Latin America — For Now
It added, "The agent periodically uploads a small encrypted beacon (around 124 bytes) to signal that it is active.
organisation
Azureveil
The loader decrypts and runs the ultimate payload, tracked as "Azureveil," which is an Adaptix command-and-control (C2) agent.
organisation
Rustcloak & Azureveil
Double Whammy: Rustcloak & Azureveil Malware
organisation
Microsoft Azure Blob Storage
Azureveil, meanwhile, is notable for its C2 component, which relies on Microsoft Azure Blob Storage.
organisation
EDR
They should conduct periodic security awareness assessments on relevant threats, vulnerabilities, risks, and impact; monitor and centralize logs using a security incident and event management (SIEM) solution; deploy EDR, XDR, and a file integrity monitor (FIM) defenses; monitor process execution to detect anomalies; and employ email filtering to protect against malicious messages like those described here.
organisation
XDR
They should conduct periodic security awareness assessments on relevant threats, vulnerabilities, risks, and impact; monitor and centralize logs using a security incident and event management (SIEM) solution; deploy EDR, XDR, and a file integrity monitor (FIM) defenses; monitor process execution to detect anomalies; and employ email filtering to protect against malicious messages like those described here.
organisation
FIM
They should conduct periodic security awareness assessments on relevant threats, vulnerabilities, risks, and impact; monitor and centralize logs using a security incident and event management (SIEM) solution; deploy EDR, XDR, and a file integrity monitor (FIM) defenses; monitor process execution to detect anomalies; and employ email filtering to protect against malicious messages like those described here.
infrastructure
100 known machine names
The function retrieves the system's computer name and compares it against a list of more than 100 known sandbox and analyst machine names; if there's a match, the loader exits the process and no payload is activated.
Tactical Metrics
Metrics
infrastructure
Linux
Affected Product
Click for context!
Related:
Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks
The contentious connection between China and Taiwan is well established, so a campaign like this would come as no surprise.
Metrics
data_breach
124
Bytes
Related:
Africa Relinquishes Cyberattack Lead to Latin America — For Now
It added, "The agent periodically uploads a small encrypted beacon (around 124 bytes) to signal that it is active.
Metrics
infrastructure
100
Known Machine Names
The function retrieves the system's computer name and compares it against a list of more than 100 known sandbox and analyst machine names; if there's a match, the loader exits the process and no payload is activated.
Intelligence Sources
Dark Reading
2026-06-02
China Uses Dual-Method Cyberattack on Czech Orgs
Dark Reading
Dark Reading
2026-06-02
China Uses Dual-Method Cyberattack on Czech Orgs
Dark Reading
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:07
Comprehensive Tactical Telemetry
Highly Correlated Entities
13x
organisation
Identified Entity
APT
entity
6x
target region
Target Country
China
country
3x
target region
Target Region
CENTRAL_ASIA
region
2x
industry
Targeted Sector
Government
sector
2x
tactic
Cyber Operation Type
Exfiltration
tactic
2x
timeline
Temporal Reference
2026/05/26
date
2x
tactic
MITRE ATT&CK Technique
T1059.001 - PowerShell
technique
Contextual Telemetry
Context Block
8 METRICS
infrastructure
Affected Product
Linux
software
source region
Origin Country
China
country
general metric
Pronged Attack
2
pronged attack
campaign
Campaign
Operation Dragon Weave
operation
threat actor
APT Group
Tropic Trooper
actor
source region
Origin Region
AFRICA
region
data breach
Bytes
124
bytes
infrastructure
Known Machine Names
100
known machine names
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.