ACCORDING to Check Point Research, Silver Dragon is an advanced persistent threat tracked as active across Europe and Southeast Asia since at least mid-2024, with a focus on government entities. The group gains initial access by exploiting public-facing servers and by phishing emails with malicious attachments, and it maintains persistence by hijacking legitimate Windows services to blend its activity.
It has deployed GearDoor, a backdoor that uses Google Drive as its C2 channel, along with two other tools, SSHcmd and SliverScreen, to enable remote access and screen monitoring. CPR notes that three infection chains are used, including AppDomain hijacking, Service DLL, and an email phishing campaign, all converging on Cobalt Strike beacons as the final payload.
The report also describes post-exploitation tools, a DNS-tunnel C2 pattern, and a cluster of related artefacts, including MonikerLoader and BamboLoader, with GearDoor and SilverScreen sharing code characteristics and obfuscation methods. The assessment attributes a Chinese-nexus origin to a threat actor likely operating within the umbrella of APT41, with multiple indicators aligning to that attribution.