AZUREVEIL Deconstructed: Azure Blob Storage C2, Rust Loaders, and Windows Fiber Evasion

A highly sophisticated spearphishing campaign has been identified targeting government and enterprise entities in the Czech Republic and Taiwan. The operation utilizes a custom-built malware framework known as AZUREVEIL—an Adaptix-based command-and-control (C2) agent designed for high stealth and persistence. This campaign is particularly notable for its strategic use of legitimate cloud infrastructure to mask its communication channels.

The delivery mechanism relies on malicious ZIP archives distributed via targeted spearphishing emails. To increase the success rate of the social engineering attempt, the archives contain decoy files designed to mimic official government correspondence. In Taiwan-based attacks, attackers utilize Traditional Chinese filenames and localized content; in the Czech Republic, the lures impersonate the Czech Social Security Administration. This level of regional customization suggests a high degree of operational preparation.

According to research conducted by Seqrite’s APT Team, the campaign exhibits advanced tradecraft, specifically focusing on multi-stage execution chains and the abuse of legitimate cloud services to bypass traditional perimeter defenses.

Infection Chain diagram showing the flow from ZIP to C2.
Figure 1: The multi-stage infection chain (Source: Seqrite APT).

The Execution Chain and DLL Sideloading

Once a victim interacts with the archive, the infection follows one of two primary execution paths, both of which are designed to bypass automated sandbox detection:

  • Path A (Script-based): A malicious LNK file triggers a hidden VBScript, which subsequently invokes a PowerShell script. This script is responsible for decrypting an XOR-encrypted payload (stored as 1.dat) and executing it under the guise of RuntimeBroker_update.exe.
  • Path B (Direct Execution): A standalone Rust-based executable performs the entire infection sequence internally, dropping the payload without the need for external scripting dependencies.

Both paths eventually converge at a critical stage involving DLL sideloading. The attackers utilize a legitimate executable to load a malicious library named UnityPlayer.dll. This library is actually a Rust-based loader dubbed RUSTCLOAK, which handles the heavy lifting of further payload decryption and memory injection.

Malicious UnityPlayer.dll analysis.
Figure 2: Analysis of the malicious UnityPlayer.dll (Source: Seqrite APT).

To evade security analysts, RUSTCLOAK implements environment-aware anti-analysis checks, cross-referencing system metadata against known sandbox and virtual machine signatures before proceeding with the infection.

Cryptographic Complexity and In-Memory Operation

The AZUREVEIL framework employs a formidable multi-layered encryption strategy to frustrate static and dynamic analysis. The payload undergoes a three-stage decryption process involving:
1. A custom RC4 implementation.
2. Base64 decoding.
3. SM4-CBC encryption.

The final stage of the attack involves the deployment of the 64-bit AZUREVEIL DLL directly into memory. To avoid the “noisy” footprint associated with standard thread-based execution, the malware utilizes Windows fibers and performs dynamic API resolution via hashing. This ensures that the malware’s true capabilities remain hidden from standard EDR (Endpoint Detection and Response) hooks that monitor traditional thread creation and API calls.

Azure Blob Storage as a “Dead-Drop” C2

Perhaps the most sophisticated element of this campaign is its Command and Control (C2) architecture. Rather than communicating with a suspicious, hardcoded IP address or domain, AZUREVEIL uses Microsoft Azure Blob Storage as a dead-drop C2 channel.

The malware communicates with a shared Azure storage container, where it uploads encrypted beaconing data and retrieves commands placed there by the attacker. This technique allows malicious traffic to blend in with the massive volume of legitimate enterprise traffic to Microsoft’s cloud, making it nearly impossible to distinguish between a routine cloud backup and a data exfiltration event. Furthermore, researchers discovered an embedded Shared Access Signature (SAS) token within the malware that granted the attackers full access to the storage account for nearly a year, ensuring long-term operational persistence.

Adaptix malware family diagram.
Figure 3: Overview of the Adaptix malware family (Source: Seqrite APT).

While the tactics, techniques, and procedures (TTPs) strongly suggest a China-aligned threat actor, the operation has not been definitively attributed to a specific known group, suggesting either a new evolution in their toolkit or a highly disciplined, undocumented operation.

Defensive Recommendations

To mitigate the risk of AZUREVEIL and similar cloud-native threats, security teams should prioritize the following:

  • Monitor Cloud Traffic: Implement deep packet inspection and anomaly detection for unusual volumes of data being sent to Azure Blob Storage from non-standard processes.
  • Endpoint Hardening: Monitor for suspicious process lineages, specifically looking for LNK files spawning VBScript or PowerShell.
  • DLL Integrity: Implement strict controls and monitoring for DLL sideloading attempts, particularly involving common libraries like UnityPlayer.dll.
  • Behavioral Analysis: Focus on detecting unusual Windows Fiber usage and the use of API hashing to resolve system functions.

Indicators of Compromise (IOCs)

SHA-256 Hash Filename
096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447 計畫申請審查結果通知單.pdf.lnk
1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4 計畫申請審查結果通知單.exe
080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192 UnityPlayer.dll
5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1 BrowserViewUtility.exe
61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15 RuntimeBroker_update.exe
24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4 Com.dat
02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e 000b67d70f3876965bb09fd37164b7ccrezervaci.pdf
8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9 000b67d70f3876965bb09fd37164b7.pdf
047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574 1.dat
a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a empty.vbs
823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de Profile.ps1
783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 azureveil.exe

 

Related Articles

Back to top button