AZUREVEIL Deconstructed: Azure Blob Storage C2, Rust Loaders, and Windows Fiber Evasion
A highly sophisticated spearphishing campaign has been identified targeting government and enterprise entities in the Czech Republic and Taiwan. The operation utilizes a custom-built malware framework known as AZUREVEIL—an Adaptix-based command-and-control (C2) agent designed for high stealth and persistence. This campaign is particularly notable for its strategic use of legitimate cloud infrastructure to mask its communication channels.
The delivery mechanism relies on malicious ZIP archives distributed via targeted spearphishing emails. To increase the success rate of the social engineering attempt, the archives contain decoy files designed to mimic official government correspondence. In Taiwan-based attacks, attackers utilize Traditional Chinese filenames and localized content; in the Czech Republic, the lures impersonate the Czech Social Security Administration. This level of regional customization suggests a high degree of operational preparation.
According to research conducted by Seqrite’s APT Team, the campaign exhibits advanced tradecraft, specifically focusing on multi-stage execution chains and the abuse of legitimate cloud services to bypass traditional perimeter defenses.

The Execution Chain and DLL Sideloading
Once a victim interacts with the archive, the infection follows one of two primary execution paths, both of which are designed to bypass automated sandbox detection:
- Path A (Script-based): A malicious LNK file triggers a hidden VBScript, which subsequently invokes a PowerShell script. This script is responsible for decrypting an XOR-encrypted payload (stored as
1.dat) and executing it under the guise ofRuntimeBroker_update.exe. - Path B (Direct Execution): A standalone Rust-based executable performs the entire infection sequence internally, dropping the payload without the need for external scripting dependencies.
Both paths eventually converge at a critical stage involving DLL sideloading. The attackers utilize a legitimate executable to load a malicious library named UnityPlayer.dll. This library is actually a Rust-based loader dubbed RUSTCLOAK, which handles the heavy lifting of further payload decryption and memory injection.

To evade security analysts, RUSTCLOAK implements environment-aware anti-analysis checks, cross-referencing system metadata against known sandbox and virtual machine signatures before proceeding with the infection.
Cryptographic Complexity and In-Memory Operation
The AZUREVEIL framework employs a formidable multi-layered encryption strategy to frustrate static and dynamic analysis. The payload undergoes a three-stage decryption process involving:
1. A custom RC4 implementation.
2. Base64 decoding.
3. SM4-CBC encryption.
The final stage of the attack involves the deployment of the 64-bit AZUREVEIL DLL directly into memory. To avoid the “noisy” footprint associated with standard thread-based execution, the malware utilizes Windows fibers and performs dynamic API resolution via hashing. This ensures that the malware’s true capabilities remain hidden from standard EDR (Endpoint Detection and Response) hooks that monitor traditional thread creation and API calls.
Azure Blob Storage as a “Dead-Drop” C2
Perhaps the most sophisticated element of this campaign is its Command and Control (C2) architecture. Rather than communicating with a suspicious, hardcoded IP address or domain, AZUREVEIL uses Microsoft Azure Blob Storage as a dead-drop C2 channel.
The malware communicates with a shared Azure storage container, where it uploads encrypted beaconing data and retrieves commands placed there by the attacker. This technique allows malicious traffic to blend in with the massive volume of legitimate enterprise traffic to Microsoft’s cloud, making it nearly impossible to distinguish between a routine cloud backup and a data exfiltration event. Furthermore, researchers discovered an embedded Shared Access Signature (SAS) token within the malware that granted the attackers full access to the storage account for nearly a year, ensuring long-term operational persistence.

While the tactics, techniques, and procedures (TTPs) strongly suggest a China-aligned threat actor, the operation has not been definitively attributed to a specific known group, suggesting either a new evolution in their toolkit or a highly disciplined, undocumented operation.
Defensive Recommendations
To mitigate the risk of AZUREVEIL and similar cloud-native threats, security teams should prioritize the following:
- Monitor Cloud Traffic: Implement deep packet inspection and anomaly detection for unusual volumes of data being sent to Azure Blob Storage from non-standard processes.
- Endpoint Hardening: Monitor for suspicious process lineages, specifically looking for LNK files spawning VBScript or PowerShell.
- DLL Integrity: Implement strict controls and monitoring for DLL sideloading attempts, particularly involving common libraries like
UnityPlayer.dll. - Behavioral Analysis: Focus on detecting unusual Windows Fiber usage and the use of API hashing to resolve system functions.
Indicators of Compromise (IOCs)
| SHA-256 Hash | Filename |
|---|---|
| 096372d19b4787e989f44e04c5ecc29885aa927c34ae8666628d6c0eb20bb447 | 計畫申請審查結果通知單.pdf.lnk |
| 1c56228cbd1bdebb9e5ea55c2749150fee06c865ede4a3754e8bd6843e51d2d4 | 計畫申請審查結果通知單.exe |
| 080ab9bc2893ba7bad354551604a667af40ed2ae2d042d2323c2bd9ad3122192 | UnityPlayer.dll |
| 5ed14c2b7f7433a1a72dd6b668413f935a217ba10b69d89b774a82990fa12fe1 | BrowserViewUtility.exe |
| 61f7d9cd2d8ce7df950639b23ce90085b300b0c6dd0d8d934bba8fdecb670f15 | RuntimeBroker_update.exe |
| 24aa4e780ccd66cef13da9ef98c32954105cf2a32ec643efab0ba1aa2d6352f4 | Com.dat |
| 02542a49b3bd6bd2795afb67840acb4557b17e017f7503dd03ebe3aeeb28720e | 000b67d70f3876965bb09fd37164b7ccrezervaci.pdf |
| 8ae7c82a3e4f742777e590b25a1c563d19bd9bcba2a387d004aae72c4b2828f9 | 000b67d70f3876965bb09fd37164b7.pdf |
| 047687548605734348792e2a9d771b6cba42facd0d0d7d44d778290a25848574 | 1.dat |
| a4e9f9919d62589b57cfa08c9ccb89e386b09f683271373413cd8e8c8c7d1c5a | empty.vbs |
| 823d5969db3f3b72ebbdce1b78752717ea849884a0fb40d86146416c38e128de | Profile.ps1 |
| 783661d0f7edb338d2d50be087764d82dbbc9ee7989ddc57db1801e4ec9045b0 | azureveil.exe |