Full Report
Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon that has been linked to cyber attacks targeting entities in Europe and Southeast Asia since at least mid-2024. "Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments," Check Point said
Analysis Summary
# Threat Actor: Silver Dragon
## Attribution & Identity
* **Actor Identification:** Silver Dragon
* **Associated Groups:** Assessed to be operating under the **APT41** umbrella (a prolific China-linked threat group).
* **Origin:** China-linked.
## Activity Summary
Silver Dragon is an advanced persistent threat (APT) group active since at least **mid-2024**. The group specializes in multi-stage infection chains involving custom loaders and legitimate service exploitation to deploy Cobalt Strike beacons. Recent operations (up to March 2026) show a high level of sophistication in bypassing traditional detection through non-standard C2 channels like Google Drive and DNS tunneling.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of public-facing internet servers and phishing emails with malicious attachments.
* **Persistence:**
* **AppDomain Hijacking** [T1574.014]
* **Service DLL Hijacking:** Registering malicious DLLs as Windows services to blend with system activity.
* **DLL Side-Loading:** Exploiting legitimate executables (e.g., `GameHook.exe`).
* **Evasion:**
* Memory-only execution of second-stage payloads.
* DNS Tunneling for C2 communication.
* Heavily obfuscated C++ code.
* **Command and Control (C2):** Use of Google Drive API for tasking and data exfiltration.
## Targeting
* **Sectors:** Primarily government entities. Historically (via APT41 umbrella) targets healthcare, telecoms, high-tech, education, travel services, and media.
* **Geography:** Southeast Asia, Europe, and specific campaigns targeting Uzbekistan.
* **Victims:** Government organizations and vulnerable publicly exposed servers.
## Tools & Infrastructure
* **Malware Families:**
* **MonikerLoader:** A .NET-based loader for decrypting and executing second-stage payloads in memory.
* **BamboLoader:** A heavily obfuscated C++ shellcode loader/DLL.
* **SilverScreen:** A .NET screen-monitoring tool for capturing user activity and cursor positioning.
* **SSHcmd:** A .NET utility for remote command execution and file transfer via SSH.
* **GearDoor:** A .NET backdoor using Google Drive for C2 (heartbeats sent as `.png` files).
* **Cobalt Strike:** Preferred post-exploitation framework/beacon.
* **Infrastructure:**
* **C2:** Google Drive (cloud-based C2), DNS-based tunneling.
* **Filenames:** `graphics-hook-filter64.dll`, `simhei.dat`, `GameHook.exe`.
## Implications
Silver Dragon represents a specialized cell within the APT41 ecosystem focusing on high-value European and Asian government targets. Their move toward "living off cloud services" (Google Drive) and memory-resident payloads indicates a strategic shift toward evading perimeter defenses and automated sandbox analysis. The use of custom .NET tools for post-exploitation suggests a mature development pipeline tailored for long-term espionage.
## Mitigations
* **Service Monitoring:** Monitor for the creation of new Windows services or modifications to existing service DLL paths.
* **AppDomain Validation:** Implement controls to prevent unauthorized AppDomain hijacking by restricting .NET configuration file modifications.
* **Cloud API Auditing:** Monitor network traffic for unusual or high-volume connections to `googleapis[.]com`, particularly from non-standard processes or servers.
* **Email Security:** Implement advanced attachment scanning for LNK files and archives containing batch scripts.
* **External Surface Management:** Prioritize patching of public-facing servers to prevent the initial exploitation used in the group's "Server DLL" and "AppDomain hijacking" chains.