Suspected Chinese Hackers Target Taiwan and Czech Republic in Phishing Campaign to Steal Data
Cybersecurity firm Seqrite reported on May 29 a new cyber espionage campaign, suspected to be linked to a Chinese hacker group, targeting government officials and citizens in the Czech Republic and Taiwan. Attackers used spear-phishing emails to trick victims into executing malware for data theft and remote control. The report was released just before the Czech Senate President's visit to Taiwan.
📋 Article Processing Timeline
- 📰 Published: June 3, 2026 at 09:13
- 🔍 Collected: June 3, 2026 at 09:23 (10 min after Published)
- 🤖 AI Analyzed: June 6, 2026 at 22:17 (84h 53m after Collected)
(Central News Agency, Prague, 2nd) Cybersecurity firm Seqrite recently exposed a new cyber espionage campaign suspected to be linked to a Chinese hacker group. Attackers targeted government officials and citizens in the Czech Republic and Taiwan, using phishing emails to lure victims into clicking and executing malicious programs for data theft and remote control.
Seqrite released a report on May 29 titled "Exposing a suspected China-linked attack campaign targeting the Czech Republic and Taiwan, utilizing Azure cloud C2 infrastructure." The release coincided with the eve of Czech Senate President Miloš Vystrčil's visit to Taiwan.
The report stated, "In our recent analysis, we discovered a spear-phishing campaign targeting officials and citizens of the Czech Republic and Taiwan. We observed a decoy document and several related samples, strongly indicating that the operation specifically targets these regions, as the files closely mimic official communication documents."
According to the investigation, the espionage campaign is codenamed "Operation Dragon Weave" and targets government agencies, research institutions, academia, the technology industry, and the financial services sector. The attack begins with a spear-phishing email containing a ZIP archive. Once the victim decompresses and opens the file, a multi-stage infection chain is triggered, allowing the attacker to silently execute malicious code in the background.
Seqrite researcher Priya Patel said, "When the victim decompresses the file, they see multiple seemingly legitimate files, but they are actually part of a carefully designed infection chain aimed at executing a malicious payload in the background."
The report notes that attackers use filenames disguised as official documents, such as PDFs related to government notifications or appointment notices in Czech, to entice users to click and increase credibility.
Patel gave an example: in this operation, the version targeting Taiwan used Traditional Chinese filenames, masquerading as an official document titled "Project Application Review Result Notice." The Czech version used Czech, imitating an appointment notice from a social security agency, even including specific personal names and appointment information to make it appear highly authentic.
Seqrite is an India-based cybersecurity research firm that continuously tracks global cyber threats and analyzes malware, viruses, Advanced Persistent Threats (APTs), and state-sponsored attacks. (Editor: Tien Jui-hua) 1150603
Seqrite released a report on May 29 titled "Exposing a suspected China-linked attack campaign targeting the Czech Republic and Taiwan, utilizing Azure cloud C2 infrastructure." The release coincided with the eve of Czech Senate President Miloš Vystrčil's visit to Taiwan.
The report stated, "In our recent analysis, we discovered a spear-phishing campaign targeting officials and citizens of the Czech Republic and Taiwan. We observed a decoy document and several related samples, strongly indicating that the operation specifically targets these regions, as the files closely mimic official communication documents."
According to the investigation, the espionage campaign is codenamed "Operation Dragon Weave" and targets government agencies, research institutions, academia, the technology industry, and the financial services sector. The attack begins with a spear-phishing email containing a ZIP archive. Once the victim decompresses and opens the file, a multi-stage infection chain is triggered, allowing the attacker to silently execute malicious code in the background.
Seqrite researcher Priya Patel said, "When the victim decompresses the file, they see multiple seemingly legitimate files, but they are actually part of a carefully designed infection chain aimed at executing a malicious payload in the background."
The report notes that attackers use filenames disguised as official documents, such as PDFs related to government notifications or appointment notices in Czech, to entice users to click and increase credibility.
Patel gave an example: in this operation, the version targeting Taiwan used Traditional Chinese filenames, masquerading as an official document titled "Project Application Review Result Notice." The Czech version used Czech, imitating an appointment notice from a social security agency, even including specific personal names and appointment information to make it appear highly authentic.
Seqrite is an India-based cybersecurity research firm that continuously tracks global cyber threats and analyzes malware, viruses, Advanced Persistent Threats (APTs), and state-sponsored attacks. (Editor: Tien Jui-hua) 1150603