ACCORDING to Check Point, the APT group Silver Dragon, linked to APT41, has been targeting governments in Europe and Southeast Asia since mid-2024, widening its playbook from phishing to Google Drive C2. The campaign gains initial access via exploitation of public-facing servers and phishing emails with malicious attachments, and persistence is maintained by hijacking legitimate Windows services while deploying Cobalt Strike and Google Drive as a C2 channel.
The attack chain relies on AppDomain hijacking, malicious service DLL deployment, and weaponized LNK attachments, with MonikerLoader and BamboLoader used to decrypt and inject payloads in memory. Evidence suggests an automated framework is used to generate tailored attack packages, supported by a log file documenting per-attack configuration parameters.
Beyond Cobalt Strike, Silver Dragon employs post-exploitation tools such as SilverScreen for screenshots, SSHcmd for remote command execution, and GearDoor, a .NET backdoor that uses Google Drive for C2 communications. The campaign primarily targets high-profile government organisations, focusing on Southeast Asia but with additional activity in parts of Europe.