Ethical Hacking News
APT41's Silver Dragon Expands: Phishing, Google Drive C2, and Cobalt Strike
The threat landscape continues to evolve at a rapid pace, with new attack vectors and tactics emerging daily. In recent months, researchers have been tracking the activities of an APT group known as Silver Dragon, which has been linked to the China-linked APT41. This article will delve into the world of Silver Dragon, exploring how they expand their playbook, using phishing, Google Drive-based command-and-control (C2), and Cobalt Strike.
Silver Dragon is a China-linked APT group linked to APT41, tracking its activities since mid-2024. The group targets government entities in Europe and Southeast Asia with various attack vectors. Silver Dragon uses phishing, Google Drive-based command-and-control, and Cobalt Strike in their attacks. Their tools utilize an automated framework that generates tailored attack packages with encryption keys and file paths. Malware deployed by Silver Dragon uses cracked versions of Cobalt Strike configured for DNS tunneling or SMB communication. The group hijacks legitimate Windows services to achieve persistence on compromised systems. Silver Dragon employs custom post-exploitation tools for stealthy data exfiltration and lateral movement. GearDoor is a .NET backdoor that leverages Google Drive as a command-and-control channel, enhancing their stealth capabilities.
The threat landscape continues to evolve at a rapid pace, with new attack vectors and tactics emerging daily. In recent months, researchers have been tracking the activities of an APT group known as Silver Dragon, which has been linked to the China-linked APT41. This article will delve into the world of Silver Dragon, exploring how they expand their playbook, using phishing, Google Drive-based command-and-control (C2), and Cobalt Strike.
According to Check Point researchers, Silver Dragon targets government entities in Europe and Southeast Asia since mid-2024. Their attack chain relies on a combination of techniques, including AppDomain hijacking, malicious service DLL deployment, and weaponized LNK attachments. The group uses obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory, allowing for persistence on compromised systems.
Moreover, Silver Dragon's tools utilize an automated framework that generates tailored attack packages, containing per-attack configuration parameters such as file paths, service names, encryption keys, and injected processes. These details are often hidden within log files recovered from compromised archives. Furthermore, the group's malware deploys Cobalt Strike beacons as the final payload, using cracked versions configured for DNS tunneling, HTTP via Cloudflare, or even SMB communication within compromised networks.
To achieve persistence, Silver Dragon resorts to hijacking legitimate Windows services. This technique allows them to maintain a steady presence on compromised systems, even in the face of traditional security measures. Furthermore, they employ custom post-exploitation tools, including SilverScreen and SSHcmd, for stealthy data exfiltration, lateral movement, plugin execution, and self-updating capabilities.
One notable tool used by Silver Dragon is GearDoor, a .NET backdoor that leverages Google Drive as a command-and-control channel. This C2 communication method allows the attackers to manage tasks and encrypt communications through specially crafted file extensions, further enhancing their stealth capabilities. In contrast, APT41 tends to focus on exploiting vulnerabilities within public-facing servers, sending phishing emails with malicious attachments, and employing tools like Cobalt Strike for persistence.
Check Point researchers highlight that Silver Dragon's continuous evolution in tooling and techniques reflects a well-resourced and adaptable threat group. Throughout their analysis, they observed the group's ability to adapt new capabilities across different campaigns. This dynamic approach underscores the importance of staying vigilant and updating security measures to counter emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/APT41s-Silver-Dragon-Expands-Phishing-Google-Drive-C2-and-Cobalt-Strike-ehn.shtml
https://securityaffairs.com/188895/apt/from-phishing-to-google-drive-c2-silver-dragon-expands-apt41-playbook.html
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
https://cybersixt.com/a/IjUHQKjcHHcAmeHogxQCwo
https://attack.mitre.org/groups/G0096/
https://www.fbi.gov/wanted/cyber/apt-41-group
Published: Wed Mar 4 07:31:18 2026 by llama3.2 3B Q4_K_M
