A sophisticated Chinese-aligned threat group, dubbed Silver Dragon by Check Point Research (CPR), has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The group’s activities demonstrate operational links to campaigns previously associated with the advanced persistent threat (APT) group APT41, according to a report released Tuesday.
Silver Dragon gains initial access to systems by exploiting vulnerabilities in publicly accessible internet servers and through phishing emails containing malicious attachments. Once inside a network, the group employs techniques to maintain persistence, including hijacking legitimate Windows services, allowing malware processes to blend into normal system activity and evade detection.
Recent operations by Silver Dragon have involved the deployment of GearDoor, a new backdoor that leverages Google Drive as its command-and-control (C2) channel. This allows for covert communication and tasking over a trusted cloud service. In addition to GearDoor, the group has utilized two custom-built tools: SSHcmd, a command-line utility facilitating remote access via SSH, and SilverScreen, a screen-monitoring tool designed to capture periodic screenshots of user activity.
CPR identified three primary infection chains used by Silver Dragon, all ultimately delivering Cobalt Strike as the final payload. These chains include AppDomain hijacking, Service DLL deployment, and email phishing campaigns. The AppDomain hijacking and Service DLL chains share similarities in delivery mechanisms, utilizing compressed archives, suggesting their utilize in post-exploitation scenarios. Files associated with both chains were uploaded to VirusTotal by the same submitter, indicating potential parallel deployment targeting different machines within the same compromised network.
The AppDomain hijacking chain, similar to one observed by the Italian National Cybersecurity Agency following a ToolShell exploitation wave in July 2025, involves a RAR archive containing a batch installation script, an XML configuration file, a malicious .NET DLL (ServiceMoniker.dll), an encrypted module (ComponentModel.dll), and an encrypted CobaltStrike payload. The installation script modifies the AppDomain entry point, redirecting execution to MonikerLoader, enabling it to load every time a legitimate Windows utility, dfsvc.exe, is executed.
MonikerLoader, a .NET-based loader, employs obfuscation techniques, including a Brainfuck-based string decryption routine, to hinder analysis. It decrypts and executes a second-stage loader in memory, configuring service-based persistence and loading the final Cobalt Strike beacon.
The Service DLL deployment chain utilizes a more streamlined approach, delivering a batch installation script, BamboLoader (a shellcode DLL loader), and an encrypted Cobalt Strike shellcode file. The script registers BamboLoader as a Windows service by manipulating the registry, hijacking legitimate Windows services such as wuausrv (Windows Update Service) and bthsrv (Bluetooth Update Service). BamboLoader decrypts and injects the shellcode into a Windows process.
The phishing campaign involved LNK files as attachments, targeting victims in Uzbekistan. These files embed payloads within their structure, launching cmd.exe and PowerShell upon execution to extract and execute multiple components, ultimately delivering a Cobalt Strike beacon.
SilverScreen, the screen-monitoring malware, operates silently, capturing screenshots of all connected displays and employing change-detection mechanisms to minimize storage requirements. SSHcmd, a command-line SSH utility, enables remote command execution and file transfer. GearDoor, the Google Drive-based backdoor, encrypts communication using the DES algorithm and utilizes file-based commands, with file extensions dictating operations.
The majority of targeted organizations are located in Southeast Asia, with increasing activity observed in Europe, particularly within the government sector. CPR assesses, with high confidence, that Silver Dragon is linked to a Chinese-nexus threat actor operating within the APT41 umbrella, citing similarities in installation scripts and command-and-control infrastructure. The group’s continuous evolution of tooling and techniques demonstrates a well-resourced and adaptable threat capability.
