Threat Research

Silver Dragon Targets Organizations in Southeast Asia and Europe

Checkpoint
Silver Dragon Targets Organizations in Southeast Asia and Europe

Check Point Research attributes a Chinese‑nexus APT cluster named Silver Dragon to campaigns targeting government and high‑profile organizations in Southeast Asia and Europe that use exploited public‑facing servers and phishing to deliver Cobalt Strike. The group leverages custom tooling and persistence techniques — notably GearDoor (Google Drive C2), BamboLoader/MonikerLoader, SilverScreen and SSHcmd — and conducts C2 via DNS tunneling, Cloudflare‑protected HTTP, and Google Drive. #SilverDragon #GearDoor

Keypoints

  • Silver Dragon is a Chinese‑nexus APT cluster (likely within the APT41 umbrella) observed targeting government and high‑profile organizations across Southeast Asia and Europe.
  • Initial access is achieved by exploiting public‑facing internet servers and via phishing emails with weaponized LNK attachments that drop multi‑stage loaders.
  • Three primary infection chains were identified (AppDomain hijacking, Service DLL hijacking, and a phishing LNK chain), all ultimately delivering Cobalt Strike beacons as the final payload.
  • Custom tools include GearDoor (Google Drive‑based backdoor/C2), BamboLoader and MonikerLoader (multi‑stage loaders with RC4/LZNT1 decryption and in‑memory execution), SilverScreen (screen‑monitoring implant) and SSHcmd (SSH command/file transfer utility).
  • Persistence and stealth techniques include AppDomain hijacking, hijacking legitimate Windows services (service DLL registration), heavy string obfuscation (Brainfuck‑based), and process injection into legitimate host processes.
  • C2 communications use multiple channels to evade detection: DNS tunneling, HTTP over infrastructure behind Cloudflare, SMB lateral C2, and file‑based C2 via Google Drive with encrypted file extensions mapping to tasks.
  • Attribution is supported by tradecraft overlaps with APT41 (near‑identical service registration scripts, cracked Cobalt Strike watermarks, RC4+LZNT1 shellcode patterns, and UTC+8 compilation timestamps).

MITRE Techniques

  • [T1574.014 ] AppDomain Hijacking – Used to redirect execution by placing a malicious dfsvc.exe.config alongside dfsvc.exe so MonikerLoader is loaded; quote: ‘…abusing AppDomain Hijacking (T1574.014).’
  • [T1190 ] Exploit Public‑Facing Application – Initial access gained via exploitation of publicly exposed vulnerable servers; quote: ‘…compromise of publicly exposed vulnerable servers.’
  • [T1566.001 ] Spearphishing Attachment – Phishing emails delivered malicious LNK attachments that embed and drop multiple payload components; quote: ‘…phishing emails containing weaponized LNK attachments…’
  • [T1071.004 ] Application Layer Protocol: DNS – Cobalt Strike beacons configured to communicate using DNS tunneling for stealthy C2; quote: ‘…conducts command-and-control (C2) communication through DNS tunneling…’
  • [T1543.003 ] Create or Modify System Process: Windows Service – Attackers register malicious DLLs as Windows services (e.g., bthsrv) to achieve persistence; quote: ‘…registers the BamboLoader to run as a Windows service…’
  • [T1574.001 ] Hijack Execution Flow: DLL Side‑Loading – Legitimate executables are abused for DLL sideloading to load BamboLoader (e.g., GameHook.exe); quote: ‘…legitimate executable abused for DLL sideloading…’
  • [T1055 ] Process Injection – Loaders decrypt and inject shellcode or payloads into child or host processes (e.g., taskhost.exe) for in‑memory execution; quote: ‘…injected into a Windows process, such as taskhost.exe…’
  • [T1102 ] Web Service – GearDoor uses Google Drive as a file‑based C2 channel to upload heartbeats and retrieve encrypted commands/results; quote: ‘…leverages Google Drive as its C2 channel…’
  • [T1134.001 ] Access Token Manipulation: Token Impersonation/Theft – Implants perform token impersonation to relaunch into active sessions or impersonate processes (e.g., steal_token ); quote: ‘…relaunches itself within the currently active desktop session using token impersonation.’
  • [T1027 ] Obfuscated Files or Information – Multiple tools use heavy obfuscation, including a Brainfuck‑based string decryption routine to hinder analysis; quote: ‘…strings are entirely obfuscated using a Brainfuck-based string decryption routine.’
  • [T1053 ] Scheduled Task/Job – GearDoor supports an exec command that can execute tasks via scheduled task mechanisms for remote command execution; quote: ‘…exec : Executes a command via a scheduled task mechanism.’

Indicators of Compromise

  • [Domain ] C2 and infrastructure domains used by Silver Dragon – onedriveconsole[.]com, exchange4study[.]com, and other 10 domains (e.g., ns1.onedriveconsole[.]com, copilot-cloud[.]net).
  • [File hash ] Sample hashes for identified toolset – GearDoor: 4f93be0c46a5…69a8; BamboLoader: e3b016f2fc86…70d (and ~40+ additional sample hashes referenced in the report).
  • [File name ] Dropped or staged filenames observed – OLDENGL.fon (encrypted CobaltStrike shellcode in Fonts), GameHook.exe (legitimate binary used for DLL sideloading), and installer BAT files such as usFUk.bat.
  • [Service name ] Windows services abused for persistence – bthsrv (Bluetooth Update Service), DfSvc (Microsoft .NET Framework ClickOnce Deployment Service) used as service names/entry points.
  • [IP address ] Network indicator associated with C2 configuration – 104.21.51.8 (listed as DNS_Idle for a Cobalt Strike configuration).
  • [Registry key ] Registry locations used for configuration and fallback defaults – HKLMSoftwareMicrosoftAccount (Google Account default), HKLMSoftwareMicrosoftTime (Beacon Interval), and other HKLM paths used for settings/storage.

Read more: https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/