Cybersecurity researchers have uncovered fresh details about an advanced persistent threat group known as Silver Dragon, which has been targeting government entities across Europe and Southeast Asia since at least mid 2024.
According to a technical analysis published by Check Point, the group employs a mix of server exploitation and phishing attacks to gain initial access, followed by stealthy persistence techniques that blend malicious activity into normal Windows operations.
Operating Under the APT41 Umbrella
Silver Dragon is assessed to operate under the umbrella of APT41, a well known Chinese threat group active since at least 2012. APT41 has historically targeted sectors including healthcare, telecommunications, high technology, education, travel services, and media, conducting both espionage and financially motivated operations.
The latest campaign attributed to Silver Dragon primarily focuses on government organizations, leveraging Cobalt Strike beacons to maintain access on compromised systems. The group also uses DNS tunneling to conceal command and control traffic and evade detection.
Three Distinct Infection Chains
Researchers identified three separate delivery mechanisms used to deploy Cobalt Strike payloads:
- AppDomain hijacking
- Service DLL execution
- Email based phishing
The first two chains are typically delivered via compressed RAR archives and are often deployed after the compromise of publicly exposed servers.
AppDomain Hijacking and MonikerLoader
In the AppDomain hijacking chain, a batch script extracts a .NET based loader called MonikerLoader. This component decrypts and executes a second stage payload directly in memory. The second stage mirrors the behavior of MonikerLoader and ultimately loads the Cobalt Strike beacon.
Service DLL Chain and BamboLoader
The second infection path leverages a malicious DLL loader known as BamboLoader. Delivered through a batch script, the loader is registered as a Windows service.
BamboLoader, written in heavily obfuscated C++, decrypts and decompresses shellcode stored on disk and injects it into legitimate Windows processes such as taskhost.exe. The target process for injection can be configured within the loader.
Phishing Campaign Targeting Uzbekistan
The third infection chain involves phishing emails primarily targeting entities in Uzbekistan. The emails contain malicious Windows shortcut files.
When executed, the weaponized shortcut launches PowerShell commands through cmd.exe, triggering the extraction of multiple components:
- A decoy document
- A legitimate executable vulnerable to DLL sideloading, GameHook.exe
- A malicious DLL, BamboLoader
- An encrypted Cobalt Strike payload
The decoy document is shown to the victim while, in the background, the malicious DLL is sideloaded via GameHook.exe to launch the final payload.
Post Exploitation Toolkit
After gaining a foothold, Silver Dragon deploys several custom tools:
- SilverScreen, a .NET screen monitoring utility that captures periodic screenshots and cursor movements
- SSHcmd, a .NET based SSH command line tool for remote command execution and file transfers
- GearDoor, a .NET backdoor that communicates with its command infrastructure through Google Drive
Google Drive Based Command and Control
GearDoor uses Google Drive as a file based command and control channel. After execution, the malware authenticates to an attacker controlled account and uploads a heartbeat file containing basic system details.
Different file extensions indicate specific instructions:
- .png files transmit heartbeat signals
- .pdf files deliver commands such as directory listing and file deletion
- .cab files trigger host reconnaissance and command execution
- .rar files deliver payloads or updates
- .7z files load plugins directly into memory
Results of executed tasks are uploaded back to the attacker using various file extensions, enabling covert bidirectional communication.
Links to APT41
The connection to APT41 is supported by shared tooling techniques and overlapping post exploitation scripts previously attributed to the group. Additionally, BamboLoader’s decryption mechanism resembles shellcode loaders historically linked to China nexus threat activity.
Researchers noted that Silver Dragon continues to refine its tradecraft, integrating custom loaders, exploiting diverse vulnerabilities, and employing cloud services for covert communications.
Security experts warn that the combination of sophisticated persistence mechanisms, file based cloud command channels, and adaptable malware components highlights a well resourced and strategically focused threat actor targeting government infrastructure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
