Silver Dragon Targets Organizations in Southeast Asia and Europe

Key Findings Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. […] The post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research .

Key Findings Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. […] The post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research . Key Findings Check Point Research (CPR) is tracking Silver Dragon , an advanced persistent threat (APT) group which has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The actor is likely operating within the umbrella of Chinese-nexus APT41. Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity. As part of its recent operations, Silver Dragon deployed GearDoor , a new backdoor which leverages Google Drive as its command-and-control (C2) channel to enable covert communication and tasking over a trusted cloud service. In addition, the group deployed two additional custom tools: SSHcmd , a command-line utility that functions as a wrapper for SSH to facilitate remote access, and SliverScreen , a screen-monitoring tool used to capture periodic screenshots of user activity. Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. Silver Dragon employs a range of initial access techniques, primarily relying on the exploitation of public facing servers, and more recently, email-based phishing campaigns. To establish the initial foothold, the group deploys Cobalt Strike beacons to gain an early foothold on compromised hosts. In most observed cases, it then conducts command-and-control (C2) communication through DNS tunneling, enabling it to evade certain network-level detection mechanisms. During our research, we identified several custom post-exploitation tools the group uses, including a backdoor that leverages Google Drive as its C2 channel, which enables stealthy communication over a widely trusted cloud service. In this blog, we provide an overview of the observed campaigns, take a closer look at the Silver Dragon’s TTPs (Tactics, Techniques, and Procedures), and examine the tools used across their operations. Overview – Infection Chains In our analysis, we identified three main infection chains that Silver Dragon uses. In every case we observed, the chain ultimately delivered Cobalt Strike as the final payload. The group also appears to maintain its own custom malware, such as GearDoor, for exfiltrating information via Google Drive. Infection chains: AppDomain hijacking Service DLL Email phishing campaign The first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap. They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers. Both chains rely on the delivery of a RAR archive containing an installation batch script, likely executed by the attackers, which indicates a shared delivery mechanism. We observed additional overlaps in the Cobalt Strike C2 infrastructure, further strengthening the linkage between the two chains. Notably, some files associated with both infection chains were uploaded to VirusTotal by the same submitter, which suggests that the chains were likely deployed in parallel, potentially targeting different machines within the same compromised network. The third infection chain was used in a phishing campaign with a malicious LNK file as an attachment, which we linked to Silver Dragon based on the use of similar loaders, which we refer to later as BamboLoader. AppDomain Hijacking Figure 1 – High-level overview of the AppDomain hijacking infection chain. This chain, deployed by abusing AppDomain Hijacking ( T1574.014 ). A very similar infection chain was observed by the Italian National Cybersecurity Agency (ACN) following the ToolShell exploitation wave in July 2025. The analyzed instance of this chain involves a RAR archive with the following components: A batch installation script An XML configuration file ( dfsvc.exe.config ) A malicious .NET DLL ( ServiceMoniker.dll ) – MonikerLoader An encrypted module ( ComponentModel.dll ) – second-stage loader An...