SILVER Dragon, an advanced persistent threat observed since mid-2024, has been linked to the APT41 umbrella and has targeted governments in Europe and Southeast Asia, according to Check Point. The group gains initial access by exploiting public-facing internet servers and sending phishing emails with malicious attachments, and it sustains access by hijacking legitimate Windows services to blend its malware with normal activity.
Attacks have focused on government entities, with the threat group known to use Cobalt Strike beacons for persistence and to employ DNS tunnelling for C2 communications, Check Point noted. Three infection chains have been identified to deliver Cobalt Strike: AppDomain hijacking, a service DLL, and an email-based phishing campaign, including a Uzbek-focused campaign using malicious Windows shortcuts.
The operation also employs post-exploitation tools such as SilverScreen, SSHcmd and GearDoor, the latter of which utilises Google Drive for its C2 communications. GearDoor, in particular, authenticates to a Google Drive account to upload heartbeat data and supports a variety of file extensions to receive commands and upload results.