- Silver Dragon is a Chinese-nexus cyber espionage group targeting government ministries and public sector organizations across Southeast Asia, with additional victims identified in Europe.
- The group gains initial access through exploitation of public-facing servers and targeted phishing campaigns aimed at government entities.
- It maintains long-term persistence by hijacking legitimate Windows services thus allowing malware processes to blend into normal system activity.
- A custom backdoor, GearDoor, enables covert command-and-control communications via Google Drive, blending malicious traffic with normal cloud usage.
- The campaign remains relevant as attackers continue to abuse trusted enterprise services and legitimate system components to evade detection.
- Based on converging technical and operational indicators, the activity is assessed with high confidence to be China nexus and likely linked to APT41.
Check Point Research has identified and tracked a cyber espionage campaign targeting government organizations across Southeast Asia and parts of Europe. We designate this activity cluster as Silver Dragon, which has been active since at least mid-2024.
The campaign combines server exploitation, phishing, custom malware, and cloud-based command infrastructure to establish long-term access in targeted environments. Based on multiple converging indicators, Check Point Research assesses with high confidence that Silver Dragon is a Chinese-nexus threat actor, likely operating within the umbrella of APT41.
What makes this activity notable is not a single technique, but the combination: stealthy persistence inside legitimate Windows services, use of trusted cloud platforms for command-and-control, and a toolkit designed for sustained access rather than disruption.
Silver Dragon’s Targets
Silver Dragon primarily targets government entities, with most identified victims located in Southeast Asia. Additional activity has been observed in Europe.
The victim profile, combined with the tooling and persistence methods, suggests an espionage-focused objective. The operators demonstrate patience and operational discipline, consistent with long-term intelligence collection rather than financially motivated crime.
How Silver Dragon Gains Access
Silver Dragon relies on two primary entry points:
- Exploitation of public-facing servers
The group actively targets internet-exposed systems. Once a server is compromised, attackers can pivot deeper into the internal network and deploy additional tools.
- Phishing campaigns
We also observed email-based attacks delivering weaponized attachments. In one campaign, phishing emails impersonated official communications targeting government entities in Uzbekistan. The attachments launched malicious components in the background while displaying a decoy document to the user.
By combining exploitation and phishing, Silver Dragon increases its likelihood of success across different environments.
Phishing lure masquerading as an official letter to government entities in Uzbekistan.
Persistence Through Legitimate Windows Services
A defining characteristic of Silver Dragon is its approach to persistence.
Instead of deploying obviously malicious services, the group hijacks legitimate Windows services, stopping and recreating them to load malicious code under trusted names. Observed abused services include components associated with Windows Update, Bluetooth services, and .NET Framework utilities.
This tactic allows the malware to blend into normal system activity. Because the service names appear legitimate, detection becomes more challenging, particularly in large environments where system services generate routine noise.
GearDoor: Command-and-Control via Google Drive
A central component of this campaign is a custom backdoor called GearDoor.
GearDoor uses Google Drive as its command-and-control (C2) channel. Instead of communicating with suspicious infrastructure, infected systems exchange files with a dedicated Google Drive account.
Each compromised machine creates its own cloud folder, uploads periodic heartbeat data, and retrieves operator commands disguised as ordinary files. After executing tasks, it uploads the results back to the same location.
Because Google Drive traffic is typically allowed in enterprise environments, this file-based model enables malicious communication to blend with legitimate activity. The approach reflects a broader trend in advanced threat operations: abusing trusted platforms to reduce detection risk.
Additional Post-Exploitation Tools
Silver Dragon also deploys custom tools to maintain access and collect intelligence.
- SilverScreen captures screenshots of active user sessions while minimizing system impact, giving operators ongoing visibility into user activity.
- SSHcmd is a lightweight SSH utility that enables remote command execution and file transfer, supporting both direct and interactive sessions.
Together, these tools point to sustained access and monitoring rather than short-term disruption.
Use of Cobalt Strike
Across multiple infection chains, the final payload was Cobalt Strike, a legitimate penetration testing framework commonly abused by threat actors.
In this campaign, beacons communicated via DNS and HTTP, and in some cases internal network protocols, helping command traffic appear less conspicuous, especially when combined with legitimate services or cloud infrastructure.
Consistent deployment patterns and configuration overlaps further reinforce the linkage between Silver Dragon and previously documented China affiliated activity.
Attribution Assessment
Check Point Research assesses with high confidence that Silver Dragon is linked to a China nexus threat actor and likely operates within the broader APT41 ecosystem.
This assessment is based on
- Strong similarities in installation and persistence tradecraft
- Overlapping tooling behaviors and decryption routines
- Consistent operational patterns across campaigns
- Temporal indicators aligning with China Standard Time
While attribution in cyber operations is rarely based on a single factor, the convergence of technical and operational evidence supports this conclusion.
Why This Campaign Matters
Silver Dragon highlights several ongoing trends in advanced cyber espionage:
Increasing abuse of trusted cloud platforms for covert communication
- Persistence techniques that hide within legitimate system behavior
- Continuous evolution of custom tooling
- Sustained focus on government and strategic targets
For defenders, this reinforces the need to look beyond traditional perimeter defenses. Monitoring must extend across endpoints, internal network activity, and cloud services. Legitimate platforms can be misused, and trusted services can become covert channels.
Organizations with exposed infrastructure and high strategic value—particularly in the public sector—should prioritize patching internet-facing systems, strengthening email defenses, and closely monitoring service-level modifications within Windows environments.
Conclusion
Silver Dragon underscores a broader strategic trend in advanced cyber espionage. Rather than relying solely on bespoke infrastructure, state-aligned actors increasingly embed themselves within legitimate enterprise systems and trusted cloud services. This reduces visibility for traditional perimeter defenses and extends dwell time inside targeted networks.
For executive leadership, the implication is clear: exposure is no longer limited to obvious malware or suspicious external connections. Risk now includes subtle abuse of legitimate services, cloud platforms, and core operating system components.
Organizations require integrated, prevention-first security architecture that spans network, endpoint, email, and cloud environments. Check Point protects customers against campaigns like Silver Dragon through multi-layered threat prevention, advanced behavioral detection, and real-time threat intelligence from Check Point Research.
By combining automated prevention with consolidated visibility across environments, organizations can reduce exposure, detect stealthy persistence techniques, and respond more effectively to advanced, state-aligned threats.
Check Point Research will continue to track this activity and monitor related developments.
