Check Point Research disclosed Silver Dragon, an advanced persistent threat linked to APT41, conducting stealthy espionage against government and high-profile organizations across Southeast Asia and Europe since mid-2024. The group delivers Cobalt Strike through three infection chains and operates GearDoor, a .NET backdoor that uses Google Drive for file-based C2, enabling heartbeats, command execution, and data exfiltration. #SilverDragon #GearDoor
Keypoints
- Silver Dragon targets government and high-profile organizations across Southeast Asia and Europe.
- The group uses three infection chains—public-facing server exploitation, AppDomain hijacking with malicious .NET DLLs, and spear-phishing LNKs—to deliver Cobalt Strike.
- GearDoor is a .NET backdoor that leverages Google Drive for heartbeats (.png), commands (.cab), and encrypted data exfiltration (.zip).
- Operators deploy post-exploitation tools such as SliverScreen, SSHcmd, MonikerLoader, and BamboLoader for monitoring and lateral movement.
- Check Point Research attributes the campaign to a Chinese-nexus actor with high confidence based on tradecraft overlaps, UTC+8 timestamps, and RC4+LZNT1 routines.