Chinese-affiliated state-backed threat actor, tracked as ‘Silver Dragon,’ has been linked to a wave of cyberattacks targeting government and enterprise entities across Europe and Southeast Asia since at least mid-2024.
Silver Dragon gains initial access by exploiting vulnerable public-facing servers and distributing phishing emails with malicious attachments, according to a new technical report from Check Point. To maintain persistence, the group hijacks legitimate Windows services, enabling its malware to blend in with normal system processes and evade detection.
Researchers assess that Silver Dragon operates under the umbrella of APT41, a prolific China-linked threat actor active since at least 2012. APT41 is focused on targeting healthcare, telecommunications, high-tech, education, travel, and media sectors for cyber-espionage. It has also been known for engaging in financially motivated operations that may not have been sanctioned by the Chinese government.
Government entities have been the main target of Silver Dragon’s recent campaigns. The attackers use Cobalt Strike beacons to establish persistence on compromised systems and use techniques such as DNS tunneling for command-and-control (C&C) communications, allowing them to bypass security monitoring.
Check Point identified three distinct infection chains used to deploy Cobalt Strike: AppDomain hijacking, service DLL abuse, and email-based phishing. The first two methods are typically delivered via compressed RAR archives, suggesting they have been deployed in post-exploitation scenarios after the attackers compromised internet-exposed servers.
In the AppDomain hijacking chain, a batch script drops a .NET-based loader known as MonikerLoader, which decrypts and executes a second-stage payload directly in memory. The second stage then loads the final Cobalt Strike beacon. The service DLL chain, by contrast, delivers a shellcode loader dubbed BamboLoader, which registers itself as a Windows service. The heavily obfuscated C++ malware decrypts and injects shellcode into legitimate processes such as taskhost.exe.
The third infection chain relies on phishing campaigns, with victims receiving weaponized Windows shortcut (LNK) files that trigger malicious PowerShell commands via cmd.exe. While a decoy document is displayed, a rogue DLL is sideloaded through GameHook.exe, ultimately launching the Cobalt Strike payload.
In addition to Cobalt Strike, Silver Dragon deploys a suite of custom post-exploitation tools, including SilverScreen, SSHcmd, and a novel backdoor called GearDoor. The latter leverages Google Drive as its C&C channel. Once executed, the malware authenticates to an attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information. It uses distinct file extensions to signal different task types to infected hosts.