AZUREVEIL

"Operation Dragon Weave," a spear-phishing campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or ... an appointment with the Czech Social Security Administration (ČSSZ).

Azureveil retrieves these commands, decrypts them, executes them, and uploads the results back as encrypted blobs.

...clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components; it then executes them through a file named RuntimeBroker_update.exe.

the agent contains a specialized Beacon Object File (BOF) parsing engine. This engine runs compiled C scripts inside the local host memory without touching physical disks.

The primary way the infection starts is through clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components...

The primary way the infection starts is through clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components...

the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM.

The primary way the infection starts is through clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components...

AZUREVEIL resolves around 87 Windows APIs at runtime using a djb2-based hashing method.

the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM.

Once the infection chain completes, a Rust-based loader known as RUSTCLOAK takes over and decrypts the final payload through a triple-layer process involving modified RC4, Base64 decoding, and AES-CBC encryption.

Stage four launches AZUREVEIL directly in memory, leaving almost nothing behind on disk for investigators to find... running Beacon Object Files entirely in memory without touching disk.

AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including file operations, file uploads and downloads...

These features allow the attacker to execute filesystem changes, manipulate running processes, and forward ports.

C2 Management Reconfigure C2 settings at runtime Control file transfer state Retrieve system uptime

These features allow the attacker to execute filesystem changes... For instance, operators can pull down secondary files or exfiltrate sensitive local documents seamlessly.

The zip file attached to the spear-phishing email contains multiple files, including an executable that opens a decoy PDF...

The attack begins with a ZIP archive delivered via email... Analysts at Seqrite... noted the use of two separate delivery paths contained within a single archive.

Instead of talking to a normal C2 server, the malware blends its traffic with regular cloud activity, which makes it much harder to notice.

AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including ... port forwarding, SOCKS proxy control...

These features allow the attacker to execute filesystem changes, manipulate running processes, and forward ports.

Rather than communicating with a traditional C2 server, it routes all activity through Microsoft Azure Blob Storage, making its traffic nearly indistinguishable from normal enterprise cloud usage.

"Instead of using a traditional pull-based C2 model, Azureveil follows a dead-drop approach," ... "The attacker and the infected system never communicate directly. Instead, both sides use the same Azure storage container to exchange data."

These features allow the attacker to execute filesystem changes, manipulate running processes, and forward ports. For instance, operators can pull down secondary files or exfiltrate sensitive local documents seamlessly.

Azureveil retrieves these commands, decrypts them, executes them, and uploads the results back as encrypted blobs... they can execute commands and exfiltrate files from the target system...

Operation Dragon Weave relies entirely on a customized dead-drop C2 channel built inside legitimate cloud platforms. The system uses public storage spaces to pass encrypted commands and exfiltrated files safely.

One of the unique aspects of this campaign is its use of Microsoft Azure Blob Storage as a dead-drop C2 channel.