RUSTCLOAK
RUSTCLOAK is a Rust-based intermediate loader used in the Operation Dragon Weave cyber-espionage campaign identified by Seqrite. It is delivered after a spear-phishing infection chain that uses ZIP archives with government-themed lures and two execution paths: a malicious LNK that launches VBScript and PowerShell, or a Rust-based dropper executable. Both paths converge on RuntimeBroker_update.exe, which uses DLL sideloading to load a malicious UnityPlayer.dll and execute RUSTCLOAK.
RUSTCLOAK performs anti-analysis checks before payload execution, including retrieving the local computer name and comparing it against a hardcoded list of more than 100 known sandbox and analyst machine names; it terminates if a match is found. It decrypts the next-stage payload through a triple-layer routine described in the reporting as modified/custom RC4, Base64 decoding, and either SM4-CBC or AES-CBC, depending on the source summary. One detailed extraction reports decryption of Com.dat using RC4 with key F8 83 40 17 1D 66 AA C2 B0 25 A8 6C A0 DD C4 5A, followed by SM4-CBC with key CD CE 4F DB 3E 6A F2 44 AC 62 8C F4 96 1F 6B FB and IV FA 70 B1 81 A0 BA 5D 46 7A 5D 40 DD 99 B6 9B 42. After decryption, RUSTCLOAK allocates memory and transfers execution to shellcode in memory using Windows APIs including VirtualAlloc, VirtualProtect, CreateFiberEx, and SwitchToFiber, notably using Windows fibers instead of creating a new thread.
The loader’s final payload is AZUREVEIL, a 64-bit Adaptix C2 agent compiled as a DLL. AZUREVEIL uses Microsoft Azure Blob Storage as a dead-drop command-and-control channel, allowing encrypted beacons, commands, and exfiltrated results to blend with normal enterprise cloud traffic. Reported post-exploitation capabilities of the downstream payload include file operations, shell execution, process manipulation, port forwarding, SOCKS/proxy functions, downloading secondary files, exfiltration, and in-memory execution of Beacon Object Files. Reported associated filenames in the infection chain include RuntimeBroker_update.exe, UnityPlayer.dll, Profile.ps1, empty.vbs, 1.dat, and Com.dat. A reported network indicator associated with the campaign is note1ggbbhggdwa1[.]blob[.]core[.]windows[.]net. Seqrite assessed the broader campaign with moderate confidence as China-linked, targeting organizations and officials in the Czech Republic and Taiwan, particularly in government/public sector, research/academia, technology/software, and financial services.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"Operation Dragon Weave," a spear-phishing campaign that starts with sending email to a target with an attached zip file and instructions to open it, under the guise of something like an upcoming business meeting or ... an appointment with the Czech Social Security Administration (ČSSZ).
Execution
3 techniques...clicking on an enclosed LNK shortcut file, which runs a PowerShell script to decrypt all necessary components; it then executes them through a file named RuntimeBroker_update.exe.
Stage two involves a VBScript and PowerShell chain... File Name empty.vbs VBScript launcher triggering PowerShell execution chain.
the campaign initiates when a user downloads a malicious compressed archive... In Path A, the victim double-clicks a deceptive shortcut file masquerading as a standard PDF document.
Persistence
1 techniquePrivilege Escalation
3 techniquesthe loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM.
Instead, the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode.
Stealth
7 techniquesThe blog also examines how trusted services such as Microsoft Azure Blob Storage are abused for command-and-control communication, and how the Adaptix agent is used for data exfiltration and remote control. In addition, we analyze the multi-layer encryption used to protect the payload and how it helps the attacker evade detection.
the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode. This method injects a fully functional remote control agent directly into system RAM.
Instead, the loader deploys unique Windows fibers to transfer execution over to the decrypted shellcode.
the loader implements a complex triple-layer decryption routine to extract the final payload. The setup combines custom RC4 operations, Base64 decoding, and advanced SM4-CBC algorithms.
the malware terminates immediately if it detects an automated sandbox network. This clever validation routine keeps the infection hidden from automated endpoint scanners.
Before executing any malicious functions, the software performs exhaustive environment verification checks... It cross-references these findings against an embedded database containing over 100 sandbox indicators. Consequently, the malware terminates immediately if it detects an automated sandbox network.
This shows that RUSTCLOAK is not just executing raw shellcode directly, instead it decrypts and loads a full executable in memory and then transfers execution to it.
Discovery
2 techniquesthe malware terminates immediately if it detects an automated sandbox network. This clever validation routine keeps the infection hidden from automated endpoint scanners.
Before executing any malicious functions, the software performs exhaustive environment verification checks... It cross-references these findings against an embedded database containing over 100 sandbox indicators. Consequently, the malware terminates immediately if it detects an automated sandbox network.
Collection
2 techniquesThe zip file attached to the spear-phishing email contains multiple files, including an executable that opens a decoy PDF...
The attack begins with a ZIP archive delivered via email... Analysts at Seqrite... noted the use of two separate delivery paths contained within a single archive.
Command and Control
1 techniqueThe loader decrypts and runs the ultimate payload, tracked as "Azureveil," which is an Adaptix command-and-control (C2) agent.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An intermediate loader used in Operation Dragon Weave that performs environment and sandbox checks, then uses a triple-layer decryption routine to unpack and inject the final payload into memory using Windows fibers.
Rust-based loader used in a multi-stage spearphishing campaign. It performs sandbox evasion by checking machine names against a hardcoded list and decrypts the final payload before launching it via DLL sideloading.
A Rust-based loader that decrypts and launches Azureveil and includes anti-detection and anti-analysis checks against more than 100 known sandbox and analyst machine names.
A Rust-based loader used in the infection chain to perform anti-analysis checks, decrypt the final payload, and execute the AdaptixC2/AZUREVEIL implant.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.