Check Point Research has unveiled a sophisticated Chinese APT campaign dubbed Silver Dragon that has been actively targeting government entities and organizations across Southeast Asia and Europe since mid-2024. The threat actor operates within the umbrella of Chinese-nexus APT41 and employs multiple infection chains to deliver custom backdoors designed for covert data exfiltration.
Campaign Overview
Silver Dragon gains initial access through two primary vectors: exploiting public-facing internet servers and delivering phishing emails with malicious attachments. Once inside, the group establishes persistence by hijacking legitimate Windows services, allowing malware processes to blend seamlessly into normal system activity.
The campaign demonstrates a high level of operational sophistication, with attackers deploying Cobalt Strike beacons for initial foothold establishment and then pivoting to custom tools for long-term access and data theft.
Custom Malware Arsenal
GearDoor Backdoor
Silver Dragon’s most notable tool is GearDoor, a new backdoor that leverages Google Drive as its command-and-control channel. By routing malicious traffic through a widely trusted cloud service, the malware enables covert communication that can bypass traditional network security controls and URL filtering.
Supporting Tools
- SSHcmd: A command-line utility functioning as a wrapper for SSH to facilitate remote access
- SliverScreen: A screen-monitoring tool used to capture periodic screenshots of user activity for intelligence gathering
- BamboLoader: An obfuscated C++ loader using RC4 encryption and LZNT1 compression with process injection capabilities
- MonikerLoader: A .NET-based loader with Brainfuck-based string obfuscation for payload delivery
Infection Chains
AppDomain Hijacking
The group exploits T1574.014 (AppDomain Manager Injection) by deploying malicious .NET DLLs alongside legitimate Windows utilities like dfsvc.exe and tzsync.exe. By placing a malicious configuration file in the same directory as these binaries, the attackers ensure their loader executes every time the legitimate process runs.
Service DLL Deployment
A more direct approach involves hijacking Windows services through registry manipulation. The attackers abuse legitimate services including:
- wuausrv (Windows Update Service)
- bthsrv (Bluetooth Update Service)
- COMSysAppSrv (COM+ System Application Service)
- DfSvc (.NET Framework ClickOnce Service)
- tzsync (Windows Updates Timezone Service)
Phishing Campaign Targeting Uzbekistan
A third infection chain targets government entities in Uzbekistan through weaponized LNK attachments exceeding 1 MB in size. Upon execution, embedded PowerShell code extracts multiple payloads including a decoy document, legitimate executables for DLL sideloading, and encrypted Cobalt Strike shellcode.
Technical Indicators
Cobalt Strike Infrastructure: The majority of observed implants communicate via DNS tunneling to domains including ns1.onedriveconsole[.]com and ns1.exchange4study[.]com, with some samples using HTTP-based communication through Cloudflare-protected servers.
Evasion Techniques:
- Control flow flattening in BamboLoader
- Brainfuck-based string obfuscation in MonikerLoader
- Encrypted payloads with RC4 and single-byte XOR
- Process injection into legitimate Windows binaries
- DNS tunneling for C2 communication
Connection to APT41
Check Point Research assesses that Silver Dragon operates within the APT41 umbrella based on shared infrastructure, similar tooling patterns, and targeting alignment with previous APT41 campaigns. APT41 is a well-documented Chinese state-sponsored group known for conducting both espionage operations and financially motivated attacks.
Recommendations
Organizations in targeted regions should:
- Monitor for suspicious AppDomain configuration files near legitimate Windows binaries
- Audit Windows service registry keys for unauthorized modifications
- Implement DNS monitoring to detect tunneling activity
- Block or monitor Google Drive API access from unexpected processes
- Train employees to recognize phishing emails with large LNK attachments
- Deploy endpoint detection rules for Cobalt Strike beacon patterns
Source: Check Point Research
