Skip to main content
List Directory
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Menu
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Silver Dragon APT Targets Europe & Asia with New Tools & Google Drive C2

Silver Dragon APT Targets Europe & Asia with New Tools & Google Drive C2

March 4, 2026 Sarah Wu - Tech Editor Tech and Science

A sophisticated threat actor, dubbed Silver Dragon, has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. Check Point Research (CPR) details the group’s tactics, techniques, and procedures (TTPs), linking them to the prolific Chinese hacking organization APT41. The campaign demonstrates a complex and evolving approach to cyber espionage, utilizing a combination of publicly exploitable vulnerabilities, phishing campaigns, and custom malware.

Initial Access and Persistence

Silver Dragon gains initial access to systems through two primary methods: exploiting vulnerabilities in publicly facing internet servers and delivering phishing emails containing malicious attachments. Once inside a network, the group focuses on establishing persistence – maintaining access over time – by hijacking legitimate Windows services. This technique allows malicious processes to blend into normal system activity, making detection more difficult. The group’s ability to seamlessly integrate with existing system processes highlights a level of sophistication beyond typical threat actors.

Infection Chains and Tooling

CPR identified three distinct infection chains employed by Silver Dragon. The first two, “AppDomain hijacking” and “Service DLL,” often involve RAR archives containing batch scripts, typically deployed after a server compromise. These chains ultimately deliver a Cobalt Strike beacon, a commonly used post-exploitation tool allowing attackers to establish a command-and-control (C2) channel. The third chain utilizes phishing emails with malicious LNK (shortcut) files, targeting victims in Uzbekistan with a loader dubbed BamboLoader.

Beyond Cobalt Strike, Silver Dragon utilizes several custom-built tools. SilverScreen is a screen-monitoring tool designed to capture periodic screenshots of user activity, including precise cursor positioning. This allows the attackers to observe user behavior and potentially identify sensitive information. SSHcmd is a command-line utility that functions as a wrapper for SSH, facilitating remote access to compromised systems. Perhaps most notably, the group has deployed GearDoor, a new backdoor that leverages Google Drive as its C2 channel. This innovative approach allows for covert communication and tasking over a trusted cloud service, effectively hiding malicious activity in plain sight.

GearDoor: Leveraging Google Drive for Covert Communication

GearDoor’s employ of Google Drive as a C2 channel is a particularly noteworthy aspect of Silver Dragon’s operations. The malware encrypts configuration data and all file-based communication using the DES algorithm. Each infected system is assigned a unique identifier, and a dedicated folder is created within Google Drive for communication. The malware uses different file extensions to signal different tasks to the implant, demonstrating a flexible and adaptable C2 infrastructure. For example, files with the “.pdf” extension are used for file management commands, while “.rar” files are used for downloading payloads and self-updating the malware. GBHackers provides further detail on this unique C2 implementation.

Attribution and Links to APT41

CPR assesses with high confidence that Silver Dragon is linked to APT41, a Chinese-nexus threat actor active since at least 2012. This attribution is based on several converging indicators, including overlapping post-exploitation scripts and a shared decryption mechanism found in shellcode loaders associated with Chinese APT activity. Specifically, the installation scripts used by Silver Dragon closely resemble those previously attributed to APT41, as reported by ABit. The use of similar techniques, such as hijacking Windows services and utilizing Cobalt Strike, further strengthens the connection.

Victimology and Geographic Focus

Silver Dragon primarily targets high-profile organizations, particularly within the government sector. The majority of identified victims are located in Southeast Asia, with increasing activity observed in Europe. The group’s focus on government entities suggests a potential interest in gathering intelligence or conducting espionage. The geographic distribution of targets indicates a strategic focus on regions of geopolitical importance.

Implications and What Comes Next

The Silver Dragon campaign highlights the evolving sophistication of state-sponsored threat actors. Their ability to blend into legitimate system activity, leverage trusted cloud services like Google Drive, and adapt their tactics makes them a formidable adversary. Organizations should prioritize robust security measures, including vulnerability management, intrusion detection systems, and employee training to mitigate the risk of compromise.

Moving forward, security researchers will likely focus on developing more effective detection methods for Silver Dragon’s custom tools and techniques. Further analysis of the malware samples and C2 infrastructure will be crucial for understanding the group’s full capabilities and attribution. The ongoing investigation will also involve sharing threat intelligence with affected organizations and collaborating with law enforcement agencies to disrupt the group’s operations. Expect continued refinement of the group’s tooling and tactics, necessitating a proactive and adaptive security posture from targeted organizations.

Keep reading

  • PS5 Price Hike: Europe Could See €100 Increase – Slim & Pro Models Affected

Recent Posts

  • Madison Keys vs. Hanne Vandewinkel Live: French Open 2026 TV Schedule and Streaming Guide
  • Our Strict Quality Control Process for Returned Clothing
  • German Business Sentiment Shows Slight Recovery in May According to Ifo Index
  • The 2-week supplement to avoid travel tummy trouble – plus blood clots worries – The Irish Sun
  • Ukraine Achieves Major Battlefield Successes as Russian Casualties Mount

Recent Comments

No comments to show.
List Directory

List-Directory is a comprehensive directory of businesses and services across the United States. Find what you need, when you need it.

Quick Links

  • Home
  • Privacy Policy
  • Terms of Service

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

Connect With Us

Official social links will appear here when available.

List-directory.com
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service