Key Findings

• Silver Dragon, an APT group linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024.

• The group gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments.

• Silver Dragon uses techniques like Cobalt Strike beacons and DNS tunneling for persistence and command-and-control (C2) communication.

• The group employs multiple infection chains, including AppDomain hijacking, service DLL, and email-based phishing, to deliver Cobalt Strike payloads.

• Silver Dragon utilizes various post-exploitation tools, such as SilverScreen, SSHcmd, and GearDoor, for remote access and data exfiltration.

• The group leverages Google Drive for covert C2 communication, with the backdoor uploading and downloading data through the cloud storage service.

Background

APT41 is a prolific Chinese hacking group known for targeting various sectors, including healthcare, telecommunications, high-tech, education, travel services, and media, for cyber espionage since as early as 2012. The group is also believed to engage in financially motivated activity potentially outside of state control.

Silver Dragon, which is assessed to be operating within the APT41 umbrella, has been observed primarily targeting government entities in Europe and Southeast Asia since mid-2024.

Initial Access and Persistence

Silver Dragon gains its initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, allowing the malware processes to blend into normal system activity.

Infection Chains

The researchers identified three different infection chains used by Silver Dragon to deliver Cobalt Strike:

1. AppDomain hijacking: This chain uses a batch script within a compressed archive to drop a .NET-based loader responsible for decrypting and executing a second-stage payload.

2. Service DLL: This chain employs a batch script to deliver a shellcode DLL loader dubbed BamboLoader, which is registered as a Windows service.

3. Email-based phishing: This campaign primarily targets Uzbekistan with malicious Windows shortcuts (LNK) as attachments, leading to the extraction and execution of next-stage payloads.

Post-Exploitation Tools

Silver Dragon deploys various post-exploitation tools, including:

• SilverScreen: A .NET screen-monitoring tool used to capture periodic screenshots of user activity.

• SSHcmd: A .NET command-line SSH utility that provides remote command execution and file transfer capabilities.

• GearDoor: A .NET backdoor that communicates with its C2 infrastructure via Google Drive, using different file extensions to indicate the nature of the task to be performed on the infected host.

Google Drive C2 Communication

The group's use of Google Drive for covert C2 communication is a notable aspect of Silver Dragon's operations. The GearDoor backdoor authenticates to an attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information. The results of task execution are also captured and uploaded to Google Drive.

Ties to APT41

Silver Dragon's links to APT41 are evidenced by the tradecraft overlaps with post-exploitation installation scripts previously attributed to the latter group.

Sources

• https://thehackernews.com/2026/03/apt41-linked-silver-dragon-targets.html

• https://x.com/Dinosn/status/2029131146173288580

• https://cybersecuritynews.com/silver-dragon-apt-group/

• https://securityaffairs.com/188895/apt/from-phishing-to-google-drive-c2-silver-dragon-expands-apt41-playbook.html