Silver Dragon APT attack flow using Cobalt Strike and Google Drive C2

Researchers have identified a new advanced persistent threat group called Silver Dragon, active since mid-2024 and primarily targeting government organizations in Europe and Southeast Asia. The group is believed to operate under the umbrella of APT41, a China-linked hacking collective known for cyber espionage and financially motivated attacks. Silver Dragon gains initial access by exploiting vulnerable public-facing servers and conducting phishing campaigns with malicious attachments.

Silver Dragon APT attack flow using Cobalt Strike and Google Drive C2Silver Dragon APT attack flow using Cobalt Strike and Google Drive C2

To maintain persistence and avoid detection, the attackers hijack legitimate Windows services and deploy Cobalt Strike beacons on compromised systems. They use multiple infection chains, including AppDomain hijacking, service DLL execution, and phishing emails containing weaponized LNK files. In some campaigns, particularly those targeting Uzbekistan, malicious shortcuts trigger PowerShell commands that sideload a rogue DLL (BamboLoader) through a legitimate executable, while a decoy document distracts the victim.

Silver Dragon APT attack flow using Cobalt Strike and Google Drive C2Silver Dragon APT attack flow using Cobalt Strike and Google Drive C2

Post-compromise, Silver Dragon uses custom tools such as SilverScreen for screen monitoring, SSHcmd for remote command execution, and GearDoor, a .NET backdoor that communicates with its command-and-control infrastructure via Google Drive. The backdoor uses different file extensions to send heartbeats, execute commands, upload data, and even self-update. Researchers note strong technical overlaps with APT41 operations, highlighting Silver Dragon as a well-resourced and highly adaptive threat actor.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security