APT41-Linked Silver Dragon Targets Governments Across Europe and Southeast Asia Using Google Drive C2 and Three Distinct Infection Chains

Check Point has disclosed a previously undocumented APT group dubbed Silver Dragon operating within the APT41 umbrella that has been targeting government entities across Europe and Southeast Asia since at least mid-2024 using three distinct infection chains, custom loaders, and a backdoor that uses Google Drive as its command-and-control infrastructure.

APT41 is a prolific Chinese hacking group active since 2012, known for both state-sponsored espionage and financially motivated operations targeting healthcare, telecoms, high-tech, education, and media sectors. Silver Dragon represents the group's continued investment in government-focused intelligence collection.

Three Infection Chains

Silver Dragon employs three separate infection chains to deliver Cobalt Strike beacons, each tailored to different operational scenarios:

Chain 1 — AppDomain Hijacking: Delivered via RAR archive containing a batch script that drops MonikerLoader, a .NET-based loader that decrypts and executes a second-stage payload directly in memory. The second stage mirrors MonikerLoader's behavior and loads the final Cobalt Strike beacon. Deployed post-exploitation following compromise of public-facing servers.

Chain 2 — Service DLL: Uses a RAR archive with a batch script to deliver BamboLoader, a heavily obfuscated C++ shellcode loader registered as a Windows service. BamboLoader decrypts and decompresses shellcode staged on disk, then injects it into a legitimate Windows process such as taskhost.exe. The injection target is configurable within the loader. Also deployed post-exploitation.

Chain 3 — Phishing (Uzbekistan-targeted): Delivers malicious LNK files that launch PowerShell via cmd.exe to extract four payloads — a decoy document, a legitimate executable vulnerable to DLL sideloading (GameHook.exe), a malicious DLL (graphics-hook-filter64.dll — BamboLoader), and an encrypted Cobalt Strike payload (simhei.dat). The decoy displays while BamboLoader sideloads in the background.

GearDoor — Google Drive as C2

The most notable post-exploitation tool is GearDoor, a .NET backdoor that authenticates to an attacker-controlled Google Drive account and uses file extensions to encode command types:

• .png — heartbeat files containing system information
• .pdf — command execution, directory listing, directory creation, file removal (results sent as .db files)
• .cab — host information gathering, process enumeration, file discovery, cmd.exe execution, scheduled tasks, file upload, and implant termination (results as .bak files)
• .rar — payload delivery and execution; if named wiatrace.bak, treated as a self-update package
• .7z — in-memory plugin execution

This file-extension-based command encoding allows all C2 traffic to flow through Google Drive as seemingly normal file synchronization activity — blending entirely into enterprise cloud usage patterns.

Additional Post-Exploitation Tools

SilverScreen — a .NET screen monitoring tool that captures periodic screenshots including precise cursor positioning for user activity surveillance

SSHcmd — a .NET command-line SSH utility providing remote command execution and file transfer over SSH

Persistence Through Service Hijacking

Silver Dragon maintains persistence by hijacking legitimate Windows services, allowing malware processes to blend into normal system activity. Combined with DNS tunneling for C2 communication, this makes the group's presence difficult to detect through standard monitoring.

APT41 Attribution

Silver Dragon's links to APT41 are based on:

• Tradecraft overlaps with post-exploitation installation scripts previously attributed to APT41
• BamboLoader's decryption mechanism matching shellcode loaders linked to China-nexus APT activity
• Targeting patterns consistent with Chinese state intelligence collection priorities

Defender Recommendations

• Monitor Google Drive API activity — flag unexpected authentication to Google Drive accounts from server infrastructure and workstations that don't normally use Drive
• Detect file-extension-based C2 patterns — unusual volumes of .png, .pdf, .cab, .rar, and .7z file creation on Google Drive from a single endpoint warrant investigation
• Hunt for service hijacking — audit Windows services for unauthorized DLL loading and compare against known-good baselines
• Block DNS tunneling — monitor for high-volume, high-entropy DNS queries that could indicate tunneled C2 traffic
• Detect DLL sideloading — alert on GameHook.exe or similar legitimate executables loading unsigned DLLs
• Inspect .NET loaders — MonikerLoader and GearDoor are .NET-based; monitor for unusual .NET assembly loading patterns on servers
• Restrict LNK execution — flag PowerShell spawned from shortcut files, particularly those delivered via email