Silver Dragon APT Group Targets Europe, Asia Using Google Drive for Covert Communication

A China-linked threat group called Silver Dragon has been targeting government and high-profile organizations across Southeast Asia and Europe since at least mid-2024.

Operating under the umbrella of APT41, the group breaks into networks by exploiting public-facing internet servers and sending phishing emails with malicious attachments.

Once inside, it uses custom tools to steal data, monitor victims, and maintain long-term access while staying hidden.​

Silver Dragon’s entry into a target environment follows a deliberate sequence. After compromising a server or tricking a user into opening a malicious attachment, the group quickly deploys Cobalt Strike beacons to take control of the infected machine.

From there, it conducts command-and-control communications using DNS tunneling, routing instructions through normal-looking network traffic to avoid raising alarms.

This combination of a familiar commercial tool and covert communication makes early detection particularly difficult for defenders.​

Check Point analysts identified three distinct infection chains used by Silver Dragon, each ultimately delivering Cobalt Strike as the final payload.

The first chain abuses AppDomain hijacking, placing a malicious configuration file alongside a legitimate Windows binary so the loader runs every time that binary executes.

The second registers a malicious DLL as a Windows service using hijacked names like Bluetooth Update or Windows Update Service. The third relies on phishing emails carrying weaponized LNK attachments sent to government entities in Uzbekistan. 

Beyond Cobalt Strike, Silver Dragon deploys three additional custom tools for post-exploitation activity. SilverScreen silently captures screenshots of all connected displays at regular intervals, using change-detection to limit disk usage. 

SSHcmd is a .NET-based SSH wrapper that lets operators run commands and transfer files over secure shell without interactive logins. Compilation timestamps on multiple samples consistently align with UTC+8, providing further evidence of Chinese-nexus origins.​

Attribution to APT41 is further supported by strong similarities between Silver Dragon’s loader installation scripts and scripts previously documented by Mandiant in 2020 as APT41 tradecraft.

Both cases use an almost identical sequence of commands to register a DLL-based loader as a Windows service, impersonating legitimate system component names to blend in.​

The most significant tool in Silver Dragon’s arsenal is GearDoor, a .NET backdoor that uses Google Drive as its command-and-control (C2) channel.

Instead of connecting to a dedicated attacker server that security tools might flag, GearDoor routes all communications through a Google Drive account, making malicious traffic indistinguishable from normal cloud storage activity.

Once deployed, the malware creates a unique Drive folder for each infected machine, using a SHA-256 hash of the machine hostname as the folder name to keep victims organized and separated.​

GearDoor communicates entirely through file uploads and downloads, with the file’s extension telling the malware what action to perform.

A .cab file delivers commands to execute, a .pdf file handles directory tasks, a .rar file drops new payloads or triggers a self-update, and a .7z file runs an in-memory .NET plugin.

After completing each task, the malware deletes the input file and uploads a result file with a .bak extension to confirm completion. 

The malware also uploads a heartbeat file using the .png extension at regular intervals, containing the machine’s hostname, username, IP address, and OS version, so operators know which systems are active.

All data exchanged through Google Drive is encrypted using the DES algorithm, with the key derived from the first 8 characters of an MD5 hash of a hardcoded string. 

The evolving command set, with some commands added and others removed between versions, suggests the group continuously tests and develops new capabilities.​

Organizations should monitor cloud storage traffic, particularly Google Drive, for unusual automated upload patterns from unknown processes.

Security teams should audit Windows services for entries that mimic legitimate system names, and enable detection for AppDomain hijacking (MITRE ATT&CK T1574.014).

Phishing awareness training is strongly advised for government personnel in Southeast Asia and Europe. All listed C2 domains and file hashes should be blocked and monitored at the perimeter.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.