Silver Dragon Targets Organizations in Southeast Asia and Europe

Check Point Research has identified Silver Dragon, a Chinese-nexus APT group with operational ties to APT41, conducting targeted campaigns against government entities in Southeast Asia and Europe since mid-2024. The group gains initial access through exploitation of public-facing servers and phishing campaigns with malicious attachments. Silver Dragon deploys Cobalt Strike beacons for persistence and uses custom tools including GearDoor, a backdoor leveraging Google Drive for command-and-control communication to evade detection. Additional tools include SSHcmd for remote access and SliverScreen for screenshot capture. The infection chains identified include AppDomain hijacking, Service DLL attacks, and email phishing with malicious LNK files. Organizations should prioritize patching public-facing servers, implement email filtering, and monitor for anomalous cloud traffic to Google Drive as potential indicators of compromise.

Key Findings Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. […] The post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research .

Check Point Research has identified Silver Dragon, a Chinese-nexus APT group with operational ties to APT41, conducting targeted campaigns against government entities in Southeast Asia and Europe since mid-2024. The group gains initial access through exploitation of public-facing servers and phishing campaigns with malicious attachments. Silver Dragon deploys Cobalt Strike beacons for persistence and uses custom tools including GearDoor, a backdoor leveraging Google Drive for command-and-control communication to evade detection. Additional tools include SSHcmd for remote access and SliverScreen for screenshot capture. The infection chains identified include AppDomain hijacking, Service DLL attacks, and email phishing with malicious LNK files. Organizations should prioritize patching public-facing servers, implement email filtering, and monitor for anomalous cloud traffic to Google Drive as potential indicators of compromise. Key Findings Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. […] The post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research . Key Findings Check Point Research (CPR) is tracking Silver Dragon , an advanced persistent threat (APT) group which has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The actor is likely operating within the umbrella of Chinese-nexus APT41. Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity. As part of its recent operations, Silver Dragon deployed GearDoor , a new backdoor which leverages Google Drive as its command-and-control (C2) channel to enable covert communication and tasking over a trusted cloud service. In addition, the group deployed two additional custom tools: SSHcmd , a command-line utility that functions as a wrapper for SSH to facilitate remote access, and SliverScreen , a screen-monitoring tool used to capture periodic screenshots of user activity. Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. Silver Dragon employs a range of initial access techniques, primarily relying on the exploitation of public facing servers, and more recently, email-based phishing campaigns. To establish the initial foothold, the group deploys Cobalt Strike beacons to gain an early foothold on compromised hosts. In most observed cases, it then conducts command-and-control (C2) communication through DNS tunneling, enabling it to evade certain network-level detection mechanisms. During our research, we identified several custom post-exploitation tools the group uses, including a backdoor that leverages Google Drive as its C2 channel, which enables stealthy communication over a widely trusted cloud service. In this blog, we provide an overview of the observed campaigns, take a closer look at the Silver Dragon’s TTPs (Tactics, Techniques, and Procedures), and examine the tools used across their operations. Overview – Infection Chains In our analysis, we identified three main infection chains that Silver Dragon uses. In every case we observed, the chain ultimately delivered Cobalt Strike as the final payload. The group also appears to maintain its own custom malware, such as GearDoor, for exfiltrating information via Google Drive. Infection chains: AppDomain hijacking Service DLL Email phishing campaign The first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap. They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers. Both chains rely on the delivery of a RAR archive containing an installation batch script, likely executed by the attackers, which indicates a shared delivery mechanism. We observed additional overlaps in the Cobalt Strike C2 infrastructure, further strengthening the linkage between the two chains. Notably, some files associated with both infection chains were uploaded to VirusTotal by the same submitter, which suggests that the...