Unmasking Silver Dragon: The Chinese-Nexus APT Haunting Southeast Asia and Europe
Ddos 
Cybersecurity researchers at Check Point Research (CPR) have lifted the veil on a sophisticated advanced persistent threat (APT) group dubbed Silver Dragon. This proactive threat actor, believed to operate under the umbrella of the notorious Chinese-nexus APT41, has been systematically striking government and high-profile organizations across Southeast Asia and Europe since mid-2024.
Silver Dragon’s operations are a masterclass in stealth and persistence, utilizing a diverse toolkit that turns trusted cloud services into weapons of espionage.
Silver Dragon doesn’t rely on a single way into a network. Instead, the group employs three distinct “infection chains” to ensure their final payload—Cobalt Strike—is successfully delivered to the target.
- Public-Facing Server Exploitation: The group primarily gains its initial foothold by exploiting vulnerable, internet-exposed servers.
- AppDomain Hijacking & Service DLLs: These methods are often delivered via compressed archives and represent a more surgical post-exploitation approach. “The analyzed instance of this chain involves a RAR archive” containing malicious .NET DLLs and encrypted modules.
- Spear-Phishing Campaigns: More recently, Silver Dragon has targeted victims—particularly in Uzbekistan—with malicious LNK attachments. These “shortcut files embed the next stage payload directly within their binary structure,” tricking users into executing hidden PowerShell code.
One of the group’s most innovative tools is GearDoor, a .NET backdoor that uses Google Drive as its primary command-and-control (C2) channel. By leveraging a trusted cloud service, the group effectively “evades traditional network defenses” and creates a “flexible and resilient infrastructure” for their operations.
Every infected system is assigned a unique identifier, which is then used to create a dedicated folder on Google Drive. Communication is entirely file-based:
- Heartbeat Artifacts: Files with the
.pngextension are used to signal the malware’s status. - Command Execution: Commands are delivered via
.cabfiles, allowing operators to execute interactive tasks likewhoami,ipconfig, andps. - Data Exfiltration: The
downloadcommand “exfiltrates files from the infected host to Google Drive,” which are then encrypted and uploaded with a.zipextension.
Beyond GearDoor, Silver Dragon deploys a suite of custom post-exploitation tools to monitor victims and expand their access:
- SliverScreen: A covert screen-monitoring implant designed to “operate silently within an active user session”. It continuously captures screenshots across all displays, using a “change-detection mechanism based on grayscale thumbnail comparisons” to minimize its footprint.
- SSHcmd: A command-line utility that acts as a wrapper for SSH, facilitating remote command execution and bidirectional file transfers over remote systems.
- MonikerLoader & BamboLoader: These heavily obfuscated loaders are responsible for the initial stages of infection, decrypting and executing shellcode directly in memory to hinder analysis.
While attribution is always a complex puzzle, CPR assesses with “high confidence” that Silver Dragon is a Chinese-nexus actor. The evidence is compelling:
- Tradecraft Overlaps: The group’s installation scripts bear a striking resemblance to those used by APT41 in past campaigns.
- Temporal Alignment: “Metadata analysis across multiple samples revealed compilation and file-creation timestamps that consistently align with UTC+8 (China Standard Time)”.
- Technical Routines: The specific sequence of RC4 decryption followed by LZNT1 decompression is a “well-established routine frequently observed in shellcode loaders attributed to Chinese nexus APT activity”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
