Full Report
Key Findings Introduction In recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. […] The post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Silver Dragon
## Attribution & Identity
* **Actor Name:** Silver Dragon
* **Attribution:** Chinese-aligned / Chinese-nexus.
* **Known Associations:** Demonstrates operational correlation with **APT41** (likely operating under the APT41 umbrella or as a related cluster).
## Activity Summary
Silver Dragon has been actively monitored since at least mid-2024. The group conducts sophisticated cyber-espionage operations characterized by the use of custom post-exploitation tools and cloud-based command-and-control (C2) mechanisms. Recent campaigns involve multi-stage infection chains designed to deliver Cobalt Strike and custom backdoors for long-term intelligence gathering.
## Tactics, Techniques & Procedures
* **Initial Access:**
* Exploitation of public-facing internet servers.
* Phishing emails containing malicious attachments.
* **Persistence:**
* **AppDomain Hijacking:** Used during initial infection chains.
* **Service Hijacking:** Hijacking legitimate Windows services to blend malware processes with normal system activity.
* **Command & Control (C2):**
* **DNS Tunneling:** Used for Cobalt Strike communication to evade network-level detections.
* **Cloud-Based C2:** Leveraging legitimate services (Google Drive) for covert tasking.
* **Defense Evasion:** Use of legitimate binaries and cloud services to mask malicious traffic.
* **Post-Exploitation:** Deployment of custom wrappers for SSH and specialized screen-monitoring tools.
## Targeting
* **Sectors:** Primary focus on **Government entities** and public organizations.
* **Geography:** Southeast Asia and Europe.
* **Victims:** Organizations within the aforementioned sectors (specific names were not provided in the snippet).
## Tools & Infrastructure
* **Malware Families:**
* **GearDoor:** A custom backdoor that uses Google Drive as its C2 channel for exfiltration and tasking.
* **Cobalt Strike:** Deployed as an early-stage foothold for command and control.
* **Custom Tools:**
* **SSHcmd:** A command-line utility acting as a wrapper for SSH to facilitate remote access.
* **SliverScreen:** A dedicated tool for capturing periodic screenshots of compromised user activity.
* **Infrastructure:**
* C2: Google Drive (defanged as: **google[.]com/drive**)
* Communication: DNS-based tunneling for primary beaconing.
## Implications
Silver Dragon represents a high-tier persistent threat capable of blending into enterprise environments by abusing trusted cloud providers and Windows system architecture. Their alignment with APT41 suggests a well-resourced actor focused on long-term espionage and strategic data theft from government targets across two continents.
## Mitigations
* **Cloud Service Monitoring:** Implement strict monitoring and logging for traffic to cloud storage providers like Google Drive, looking for unusual patterns or unauthorized API calls from internal servers.
* **Network Defense:** Deploy advanced DNS security solutions to detect and block DNS tunneling activity.
* **Endpoint Security:**
* Monitor for AppDomain hijacking and unauthorized modifications to Windows services.
* Implement EDR (Endpoint Detection and Response) to identify Cobalt Strike beaconing behaviors.
* **System Hardening:** Patch all public-facing servers immediately against known vulnerabilities and restrict SSH usage to authorized administrative IPs only.