China-Aligned Groups Ramp Up Attacks: Operation Dragon Weave Hits Czech Republic and Taiwan

Overview

Cybersecurity researchers at Seqrite Labs have disclosed details of a new China-aligned cyber espionage campaign dubbed Operation Dragon Weave. The campaign is targeting officials and citizens in the Czech Republic and Taiwan, delivering the AdaptixC2 post-exploitation agent to establish persistent access within high-value organizations across government, research, academic, technology, and financial sectors.

The campaign represents a notable escalation in Chinese-aligned threat actor operations against European and Asia-Pacific targets, with researchers observing overlaps with previously documented China-nexus APT groups including Tropic Trooper (APT23/Earth Centaur).

Campaign Details

Attribution

Operation Dragon Weave is attributed to multiple China-aligned threat actor groups, suggesting a coordinated operation rather than a single actor. The simultaneous targeting of both Czech Republic (European Union member state) and Taiwan (geopolitically sensitive vis-à-vis China) indicates a strategic intelligence-gathering mandate spanning multiple Chinese intelligence priorities.

Targeted Sectors

The breadth of targeting suggests the campaign aims to collect intelligence across multiple domains simultaneously — political, scientific, financial, and technological — consistent with Chinese state-sponsored intelligence priorities in 2026.

Technical Analysis: AdaptixC2

What Is AdaptixC2?

AdaptixC2 is a modular command and control (C2) framework that has been increasingly observed in campaigns attributed to China-aligned threat actors throughout 2025–2026. Once deployed on a compromised system, AdaptixC2 provides attackers with:

• Persistent remote access — survives reboots via multiple persistence mechanisms including scheduled tasks, registry run keys, and service installation
• Lateral movement capabilities — enables propagation throughout the target network using credential harvesting and pass-the-hash techniques
• Data exfiltration — facilitates extraction of sensitive documents, credentials, and intelligence data
• Modular architecture — allows attackers to load additional capability modules as needed without re-infection
• Encrypted C2 communications — blends with legitimate HTTPS traffic to evade detection

Delivery Mechanism

The campaign uses spear-phishing emails containing weaponized documents as the initial infection vector. Targets receive carefully crafted emails relevant to their professional roles — government officials receive policy documents, researchers receive academic papers, financial professionals receive market analyses — that when opened execute malicious code installing the AdaptixC2 agent silently.

Spear-Phishing Email (targeted, role-relevant lure)
        ↓
Weaponized Document (exploits Office vulnerability or macro)
        ↓
AdaptixC2 Agent Installation (silent, background execution)
        ↓
Persistent Remote Access Established
        ↓
Lateral Movement + Intelligence Collection
        ↓
Long-Term Espionage + Exfiltration

Geopolitical Context

The targeting of Czech Republic and Taiwan reflects specific Chinese strategic intelligence interests:

Czech Republic:

• EU member state with access to European political and policy intelligence
• Home to significant defense research and technology institutions
• The Czech government has previously taken positions critical of Chinese intelligence practices, making it a target of retaliatory intelligence collection efforts
• Czech academic institutions hold valuable research data in semiconductor technology and physics

Taiwan:

• The highest-priority geopolitical target for Chinese intelligence given Beijing's claims on Taiwan's sovereignty
• Advanced semiconductor and technology sector — significant economic and industrial intelligence value (TSMC ecosystem, supply chain data)
• Government communications, military planning, and foreign policy discussions are extremely high-value targets
• Taiwan's international relationships and US defense cooperation make it a persistent collection priority

The coordinated targeting of both geographies suggests this campaign serves broad PRC strategic intelligence objectives — European intelligence from Czech Republic, Asia-Pacific and semiconductor intelligence from Taiwan.

Connection to Known APT Groups

Seqrite Labs researchers identified overlaps with previously documented China-nexus APT groups:

• Tropic Trooper (APT23/Earth Centaur) — A well-documented Chinese APT with a history of targeting Taiwan's government and defense sectors. The use of AdaptixC2 in recent Tropic Trooper campaigns is documented.
• GopherWhisper — A China-linked group recently observed abusing legitimate services in government attacks across Asia-Pacific (April 2026)

This convergence of tooling and targeting patterns suggests either direct coordination between Chinese intelligence-aligned groups or shared tooling distribution within the Chinese APT ecosystem.

Indicators of Compromise

Organizations should monitor for:

• Spear-phishing emails with document attachments referencing Czech or Taiwan government, defense, or academic topics
• Suspicious macro execution from Word, Excel, or PowerPoint documents originating from external senders
• AdaptixC2 network traffic signatures — beacon patterns to unfamiliar external IPs over HTTPS
• Unexpected PowerShell, cmd.exe, or mshta.exe processes spawned from Office applications
• Anomalous scheduled task or service creation on workstations and servers
• Lateral movement indicators: unusual SMB connections between workstations, pass-the-hash patterns

Recommendations

1. Email gateway filtering — Enable advanced threat protection for document attachments from external senders; sandbox all Office documents before delivery
2. Macro policy hardening — Disable Office macros from internet-sourced documents via Group Policy (MOTW enforcement)
3. Threat hunting — Search for AdaptixC2 IOCs published by Seqrite Labs in endpoint and network telemetry
4. Patch management — Ensure all systems are current — spear-phishing campaigns often pair with client-side exploits for unpatched applications
5. Privileged access hardening — Implement least-privilege and just-in-time access for high-value accounts that would be targets for lateral movement
6. Security awareness training — Brief staff in government, research, and financial sectors on targeted spear-phishing risks specific to their roles

Key Takeaways

1. Operation Dragon Weave is a China-aligned APT campaign targeting Czech Republic and Taiwan via the AdaptixC2 post-exploitation framework
2. Targeted sectors span government, research, academia, technology, and finance — indicating a broad intelligence collection mandate
3. Delivery is via spear-phishing with weaponized documents; email security controls and Office macro policy are the primary defensive levers
4. The campaign shows overlaps with known China-nexus groups including Tropic Trooper, suggesting coordinated PRC-affiliated operations
5. Simultaneous European and Asia-Pacific targeting reflects multi-region Chinese strategic intelligence collection priorities

Sources

• The Hacker News — China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan
• Seqrite Labs — Operation Dragon Weave Research Report

Related Reading

• APT28 Deploys PRISMEX Malware Targeting Ukraine and NATO Allies
• China-Linked Storm-1175 Exploits Zero-Days to Deploy Medusa Ransomware
• China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks