March 4, 2026

APT41-Linked Silver Dragon Group Targets Governments with Cobalt Strike and Google Drive Command and Control (C2) Tactics

Vaibhav March 4, 2026
APT41-Linked-Silver-Dragon-Group-Targets-Governments-with-Cobalt-Strike-and-Google-Drive-Command-and-Control-C2-Tacticsdata
Post Views: 8

Advanced Threat Group Silver Dragon Targets Governments with Sophisticated Attacks

A newly identified advanced persistent threat (APT) group, dubbed Silver Dragon, has been linked to a series of sophisticated cyber attacks targeting government entities in Europe and Southeast Asia since mid-2024. The group is believed to be operating under the umbrella of APT41, a well-known Chinese hacking group notorious for its cyber espionage activities.

Initial Access Vectors and Persistence

Silver Dragon’s initial access vectors include the exploitation of publicly facing internet servers and phishing emails with malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, allowing malware processes to blend in with normal system activity.

Attack Focus and Techniques

The group’s attacks primarily focus on government entities, utilizing Cobalt Strike beacons for persistence on compromised hosts. Silver Dragon also employs techniques like DNS tunneling for command-and-control (C2) communication to evade detection.

Infection Chains

Researchers have identified three distinct infection chains used by Silver Dragon to deliver Cobalt Strike: AppDomain hijacking, service DLL, and phishing-based attacks. The first two chains involve the use of compressed archives, suggesting their deployment in post-exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers.

AppDomain Hijacking Chain

The AppDomain hijacking chain uses a RAR archive to drop MonikerLoader, a .NET-based loader responsible for decrypting and executing a second-stage payload directly in memory. The second stage mimics MonikerLoader’s behavior, acting as a conduit for loading the final Cobalt Strike beacon payload.

Service DLL Chain

The service DLL chain employs a batch script to deliver a shellcode DLL loader dubbed BamboLoader, which is responsible for loading the Cobalt Strike payload.

Phishing-Based Infection Chain

The phishing-based infection chain primarily targets Uzbekistan with malicious Windows shortcuts (LNK) as attachments. The weaponized LNK file launches PowerShell code, leading to the extraction and execution of next-stage payloads, including a decoy document, a legitimate executable vulnerable to DLL side-loading, a malicious DLL (BamboLoader), and an encrypted Cobalt Strike payload.

Post-Exploitation Tools

Silver Dragon’s attacks also involve the deployment of various post-exploitation tools, including SilverScreen, a .NET screen-monitoring tool used to capture periodic screenshots of user activity, and SSHcmd, a .NET command-line SSH utility that provides remote command execution and file transfer capabilities over SSH.

GearDoor Backdoor

The group also utilizes GearDoor, a .NET backdoor that shares similarities with MonikerLoader and communicates with its C2 infrastructure via Google Drive. Once executed, the backdoor authenticates to the attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information.

The backdoor uses different file extensions to indicate the nature of the task to be performed on the infected host, including .png for sending heartbeat files, .pdf for receiving and executing commands, and .cab for gathering host information and running commands.

Links to APT41

Silver Dragon’s links to APT41 are attributed to tradecraft overlaps with post-exploitation installation scripts previously attributed to the latter and the fact that the decryption mechanism used by BamboLoader has been observed in shellcode loaders linked to China-nexus APT activity.

Conclusion

Silver Dragon’s continuous evolution of tooling and techniques, combined with its use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication, reflects a well-resourced and adaptable threat group.



About Author

Vaibhav

See author's posts

More Stories

Hacked-Surveillance-Cameras-The-Unseen-Threat-in-Modern-Warfare-Tacticsdata

Hacked Surveillance Cameras: The Unseen Threat in Modern Warfare Tactics

Vaibhav March 4, 2026
Iran-Cyber-Front-Hacktivist-Activity-Increases-Amid-Low-State-Sponsored-Attacksdata

Iran Cyber Front: Hacktivist Activity Increases Amid Low State-Sponsored Attacks

Vaibhav March 3, 2026
Pakistan-and-Bangladesh-Governments-Hit-by-Sophisticated-Malware-Attack-SloppyLemming-Threat-Actordata

Pakistan and Bangladesh Governments Hit by Sophisticated Malware Attack: SloppyLemming Threat Actor

Vaibhav March 3, 2026

Latest Cyber Security News

Turned-Against-You-The-AI-Vulnerability-Threatening-Humanity-s-Futuredata

Turned Against You: The AI Vulnerability Threatening Humanity’s Future

Vaibhav March 4, 2026
Malicious-Challan-APK-Scam-Exposed-3-Crore-Cyber-Heist-in-Ghaziabaddata

Malicious ‘Challan’ APK Scam Exposed: ₹3 Crore Cyber Heist in Ghaziabad

Vaibhav March 4, 2026
6G-Security-and-Resilience-Principles-Released-by-Global-Coalitiondata

6G Security and Resilience Principles Released by Global Coalition

Vaibhav March 4, 2026
Telegram-Exploited-for-Illicit-Activities-Access-Malware-and-Stolen-Logs-on-the-Risedata

Telegram Exploited for Illicit Activities: Access, Malware, and Stolen Logs on the Rise

Vaibhav March 4, 2026
Unified-Card-and-Payment-Management-Platform-for-Seamless-Transactionsdata

Unified Card and Payment Management Platform for Seamless Transactions

Vaibhav March 4, 2026
en_USEnglish
en_USEnglish