A threat group tracked as Silver Dragon has been conducting cyber espionage campaigns against government entities in Europe and Southeast Asia since at least mid-2024, using Cobalt Strike beacons, custom loaders, and Google Drive as a command-and-control channel, according to research published by Check Point.
Researchers assess Silver Dragon operates under the APT41 umbrella, a Chinese hacking group active since at least 2012 with a documented history of targeting healthcare, telecommunications, high-tech, education, travel services, and media organizations for espionage purposes. APT41 is also believed to conduct financially motivated activity, potentially independent of state direction.
Three Distinct Infection Chains
Silver Dragon gains initial access by exploiting public-facing internet servers and by sending phishing emails with malicious attachments. Once inside a network, the group hijacks legitimate Windows services to keep malware processes hidden within normal system activity.
Check Point identified three separate infection chains used to deliver Cobalt Strike. The first two, AppDomain hijacking and a service DLL chain, share operational overlap and are delivered via compressed archives, suggesting they are deployed during post-exploitation after compromising exposed vulnerable servers.
Both chains begin with a RAR archive containing a batch script. The AppDomain hijacking chain drops MonikerLoader, a .NET-based loader that decrypts and executes a second-stage payload directly in memory, which then loads the final Cobalt Strike beacon. The service DLL chain instead delivers a shellcode DLL loader called BamboLoader, registered as a Windows service. This heavily obfuscated C++ malware decrypts and decompresses shellcode staged on disk, then injects it into a legitimate Windows process such as “taskhost.exe.” The injection target is configurable within BamboLoader itself.
The third chain involves a phishing campaign that has primarily targeted Uzbekistan, using malicious Windows shortcut (LNK) files as attachments. The LNK file triggers PowerShell via “cmd.exe,” extracting next-stage payloads that include a rogue DLL sideloaded through “GameHook.exe.” A decoy document displays to the victim while the malicious process runs in the background.
More Read
Google Drive as a Covert Backdoor
Among the post-exploitation tools deployed, a backdoor authenticates to an attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information from the infected host. The backdoor uses different file extensions to signal the type of task to be executed, with results captured and uploaded back to Drive. The technique leverages a trusted cloud platform to blend malicious traffic with legitimate web activity.
Silver Dragon also employs DNS tunneling for C2 communication as an additional method to bypass network-level detection.
Ties to APT41
Check Point tied Silver Dragon to APT41 based on tradecraft overlaps with post-exploitation installation scripts previously attributed to that group. The decryption mechanism inside BamboLoader has also appeared in shellcode loaders linked to China-nexus APT activity more broadly.
“The group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns,” Check Point said. “The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group.”
This article is a curated summary based on third-party sources. Source: Read the original article
