Operation Dragon Weave Targets Czech Republic and Taiwan With AdaptixC2 Spear-Phishing

Operation Dragon Weave is what state-aligned cyber-espionage looks like when the targeting list itself is the message: the Czech Republic and Taiwan paired inside one named campaign is a public read-out of China's current collection priorities.

PRAGUE, CZECH REPUBLIC — Seqrite Labs has disclosed a new cyber-espionage campaign codenamed Operation Dragon Weave that targeted officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent, according to research published by Seqrite and reporting by The Hacker News on June 1, 2026. Seqrite identified target sectors spanning government, research, academic, technology, and financial services, and described an initial-access pattern of spear-phishing emails carrying ZIP attachments that trigger an infection chain ending in a fully featured AdaptixC2 implant.

Seqrite assesses the activity as China-aligned but has not attributed Dragon Weave to a specific Chinese intelligence service or named APT — a hedge The CyberSignal preserves throughout this account.

What Happened

Seqrite Labs disclosed Operation Dragon Weave on June 1, 2026, describing a cyber-espionage campaign that has targeted officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite, the targeted sectors include government, research, academic, technology, and financial services — a pairing that lines up a NATO and EU member state with a cross-strait flashpoint inside a single named operation. The Hacker News reported the disclosure on the same day, citing Seqrite's research as the primary source.

The reported initial-access pattern is conventional in shape and aggressive in target selection: spear-phishing emails carrying ZIP attachments addressed to officials and citizens in the two countries. Seqrite's research describes an infection chain that runs from the ZIP attachment through to the deployment of an AdaptixC2 agent for data exfiltration and remote control. Seqrite assesses the activity as China-aligned but did not attribute Dragon Weave to a named Chinese intelligence service or APT group — a hedge The CyberSignal preserves here, and one that matters because it leaves the door open to either an established Chinese operator or a newer cluster the public threat-intel community has not yet labelled.

Why the Czech-Taiwan Pairing Is the Real Story

The most operationally important fact about Dragon Weave is not the malware family — it is the targeting list. Pairing the Czech Republic with Taiwan inside a single named campaign is a public read-out of collection priorities. The Czech Republic is a NATO member, an EU member, and an unusually Taiwan-aligned voice in European policy debate; Taiwan is the cross-strait flashpoint and a critical node in the global semiconductor supply chain. A China-aligned operator that builds a campaign hitting both at once is signaling that those two ends of Beijing's foreign-policy attention are being collected against in the same effort. That pattern sits alongside other 2026 China-aligned activity The CyberSignal has covered — including the Showboat campaign that ran multi-year telecom espionage against U.S. and global carriers using the JFMBackdoor toolkit and the Webworm cluster's EchoCreep and GraphWorm operations using Discord and OneDrive for command-and-control — and it lands in the same week as continued attention to Germany's public warning about a China-linked AI-assisted threat actor uncovered through the Mythos and Glasswing investigations. Read together, Dragon Weave is one more data point in a sustained, multi-vector China-aligned tempo that is not slowing down.

AdaptixC2 and the Open-Source-C2 Weaponization Trend

Dragon Weave's payload-of-record is an AdaptixC2 agent. AdaptixC2 is an open-source, pentest-oriented command-and-control framework — the same broad category as Sliver, Havoc, Mythic, and Brute Ratel. Each of those frameworks was built so that legitimate red teams and penetration testers could emulate post-exploitation tradecraft without buying a commercial product. Each has, in turn, been picked up by real attackers and repurposed for operational intrusions. State-aligned operators favor this category for a specific reason: the network signatures, agent capabilities, and tradecraft of an open-source C2 are already documented in pentest and academic literature, which means an espionage operator can hide its activity inside the noise of a tool that defenders associate with friendly red-team work. Treating AdaptixC2 as 'just a pentest tool' is therefore the wrong threat model. The framework's capabilities — file operations, shell command execution, in-memory tradecraft, port forwarding, and proxying — are the same in an espionage operation as they are on a sanctioned engagement. The framework is the means; the operator's intent is what changes.

Spear-Phishing ZIPs to Officials Is the Initial-Access Standard

The reported initial-access pattern — spear-phishing emails to officials with ZIP attachments — is the most-used path for state-aligned espionage in 2026 for a reason. It works. A ZIP attachment lets the operator package a multi-file infection chain inside a single envelope a recipient feels familiar with, and a spear-phishing lure aimed at an official's role can be tailored to the kinds of documents the recipient genuinely expects. The same general pattern appears across The CyberSignal's coverage of state-aligned activity this quarter, including the Kimsuky HTTPSpy backdoor used against South Korean military and defense targets in March and April 2026 and the Russian intelligence operation using fake Western technology companies as front cover for cyber-spying. Different operators, different geographies, recurring shape: a tailored email, a benign-looking attachment, and an implant that activates once a human in the loop trusts it.

Scope and Impact

Several things about Dragon Weave are deliberately not asserted here. Seqrite has not attributed the campaign to a specific Chinese intelligence service or to a named APT designation such as those used by other threat-intel vendors, and this account does not invent one. The number of compromised organizations, the dwell time on victim networks, and the volume of data exfiltrated are not stated in the public reporting that informs this article and should not be assumed. Whether the spear-phishing lures were tailored per recipient or sent in localized bulk to officials is also not detailed in the public account. Readers who require those specifics for an operational decision should consult Seqrite's primary research and The Hacker News reporting directly.

Dragon Weave does not stand alone. It is the latest disclosed China-aligned activity in a cluster that includes the Showboat telecom-espionage operation against carriers across multiple regions and the Webworm cluster's EchoCreep and GraphWorm campaigns abusing legitimate Discord and OneDrive infrastructure for C2, and it shares a calendar window with non-Chinese state-aligned activity The CyberSignal has covered — including the Russian intelligence operation using fake Western technology companies for cyber-spying, the Kimsuky HTTPSpy campaign against South Korean military targets, and the Iran-aligned Nimbus Manticore MiniFast operation that used AI-assisted lures against aviation targets. Read together, the picture is straightforward: state-aligned cyber-espionage is a four-power workload — China, Russia, North Korea, Iran — being executed against allied governments and supply chains on a continuous basis, with overlapping calendars and overlapping initial-access tradecraft.

For CISOs at Czech, Taiwanese, and adjacent NATO or EU government and supply-chain organizations, the practical scope of Dragon Weave is twofold. First, the threat model: a China-aligned operator has named geographic priorities that explicitly include the Czech Republic, alongside Taiwan, in a single campaign — which is reason enough to brief executive and board stakeholders that those priorities have moved past general 'cyber threat' framing into named, observed targeting. Second, the technical implication: any organization in a targeted sector that handles cross-strait policy, EU-China policy, or semiconductor supply-chain coordination should treat itself as in-scope for follow-on Dragon Weave or Dragon-Weave-adjacent tradecraft, even if it was not directly mentioned by Seqrite. Public targeting lists in threat-intel research are rarely exhaustive.

Response and Attribution

For SOC and threat-hunting teams, the immediate action is detection coverage for AdaptixC2. The framework's network behavior and post-exploitation capabilities are documented in pentest literature; that documentation cuts both ways. Pivot on the open-source C2 traffic patterns the framework produces, hunt for the post-exploitation behaviors it supports — file operations, shell command execution, in-memory tradecraft, port forwarding, and proxying — in EDR telemetry, and add the Dragon Weave initial-access shape (spear-phishing emails carrying ZIPs to officials) to email-gateway hunting rules. For organizations in the named target sectors, audit recent inbound mail to executive and senior-official inboxes for ZIP attachments from previously unseen senders and for lures that map to the recipient's role, and treat unattributed ZIP-borne tradecraft against an official as a potential Dragon Weave indicator until ruled out.

For CISOs, Dragon Weave is a prompt to widen the threat model in two directions. The first is geographic: 'second-tier' NATO and EU member states with Taiwan-aligned diplomatic postures are not a quiet back row in China-aligned collection — they are now in named campaigns. Czech, Slovak, Lithuanian, and adjacent CEE-region organizations whose threat models have historically privileged Russia-aligned activity should add named China-aligned collection to their executive briefings. The second is tooling: the open-source-C2-repurposing trend — Sliver, Havoc, Mythic, Brute Ratel, AdaptixC2 — is now an operationally established habit across state-aligned operators, and detection programs should not assume that 'open-source pentest framework' equals 'red team in progress.' The same agent on the same port can be a sanctioned engagement, a criminal operator, or a state-aligned espionage implant; behavior and context decide which.

On attribution, the honest position is the one Seqrite published. The activity is assessed as China-aligned; no specific PRC intelligence service or APT designation has been put to it in the disclosure that informs this article. Pair this campaign with The CyberSignal's recent coverage of the Showboat telecom-espionage operation, Russian intelligence's fake-Western-companies cover for cyber-spying, and the Kimsuky HTTPSpy backdoor used against South Korean military targets for a multi-alignment view of state-sponsored activity hitting allied governments and supply chains in the same calendar window.

The CyberSignal Analysis

Signal 01 — Targeting Lists Are Now Strategic Signals

Most coverage of Dragon Weave will lead with the malware or the spear-phishing tradecraft, and both are worth covering. The detail that deserves the spotlight is the targeting list. China-aligned operators have demonstrated repeatedly that the countries they put in the same campaign are countries they treat as one collection problem — and Dragon Weave puts the Czech Republic and Taiwan inside the same envelope. That pairing is informative in itself. The Czech Republic's role in European Taiwan-policy debate and Taiwan's centrality to cross-strait and semiconductor questions are the connection. For CISOs and executive risk owners, the takeaway is that 'who else is in the campaign with us' is now a piece of strategic intelligence: it tells you which other organizations to coordinate with, which threat-model assumptions to update, and which categories of follow-on activity to expect.

Signal 02 — Open-Source C2 Is Espionage Infrastructure Now

AdaptixC2 in a state-aligned campaign should end any lingering treatment of open-source C2 frameworks as primarily a red-team concern. Sliver, Havoc, Mythic, Brute Ratel, and AdaptixC2 are now part of the working toolkit of operators that include — at minimum — China-aligned and Russia-aligned actors, on top of every penetration tester and criminal crew that already used them. The defensive posture has to update with the trend. Detection coverage that fires on 'open-source pentest framework' alone produces noise; detection coverage that fires on the combined signature of an open-source framework plus suspicious initial access (spear-phishing ZIPs, DLL side-loading, fake software updates) and plus targeting of a sensitive role produces signal. AdaptixC2 in a finance executive's inbox is a different problem from AdaptixC2 in a red team's lab.

Signal 03 — Four-Power Espionage Is the Continuous Workload

Dragon Weave is one operation in a quarter that has produced disclosed China-aligned, Russia-aligned, North Korea-aligned, and Iran-aligned activity against allied governments and supply chains on overlapping calendars. That is the workload security teams in allied governments and their suppliers are actually defending against — not a single adversary in a single quarter, but a continuous, four-power, multi-vector tempo where the next named campaign will land before the response to the last one is complete. The implication is organizational, not technical. Defending against a continuous workload requires a continuous response cadence: standing threat-intel briefings, persistent hunting programs, refreshed executive risk framings, and a willingness to update the threat model when the targeting list itself moves — as it did here, with the Czech Republic now in the same campaign as Taiwan.

Sources