A Chinese threat group acting as yet another spinoff of APT41 has been conducting cyber-espionage campaign against targets through phishing attacks that ultimately hijack system services for command-and-control (C2) and persistence, giving the group’s activities a legitimate cover.
Silver Dragon, tracked by researchers at Check Point Software, has been operating since at least mid-2024, according to a report published Tuesday. Its primary target is government entities in Southeast Asia and Europe, with cyber espionage as its typical end game, the researchers said.
Silver Dragon mainly uses existing servers and services to conduct its malicious activity, according to Check Point. The group gains its initial access by exploiting public-facing Internet servers and delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, allowing the malware it delivers to blend into normal system activity.
Check Point linked the group to the powerful Chinese advanced persistent threat (APT) group APT41, and noted that even in its early days, it demonstrated sophistication that suggests it has staying power.
“Throughout our analysis, we observed that the group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns,” according to Check Point’s post. “The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group.”
3 Silver Dragon Infection Chains
Silver Dragon typically uses one of three infection chains to gain initial access to a targeted network, according to Check Point. The first two, AppDomain hijacking and Service DLL, show clear operational overlap, according to the report.
“They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios,” according to the report. “In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers.”
Moreover, both chains rely on the delivery of a RAR archive containing an installation batch script likely executed by the attackers, “which indicates a shared delivery mechanism,” according to Check Point.
The third initial-access strategy is via a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call “BamboLoader.”
In one documented case, the attackers sent phishing lures to government entities in Uzbekistan that impersonated official correspondence and included weaponized LNK attachments.
Once a system is breached, the group used a technique called Service DLL hijacking that allows malicious code to hide within legitimate Windows services, according to Check Point. In this way, the group aims to achieve long-term persistence without being detected by standard security software.
Custom Hacking Tools of the Trade
Malware delivered by Silver Dragon includes Cobalt Strike beacons to gain an early foothold on compromised hosts, and then a DNS tunneling tool for C2 in an effort to evade some network-level detection mechanisms, according to Check Point.
Its latest attacks also deliver a new custom backdoor dubbed GearDoor, which hides behind Google Drive as its C2 channel “to enable covert communication and tasking over a trusted cloud service,” according to Check Point.
The group also has two other key custom tools in its arsenal: SSHcmd and SilverScreen. SSHcmd is a command-line utility designed to facilitate remote access and lateral movement within a compromised network. SilverScreen, meanwhile, is a surveillance tool specifically built to capture periodic screenshots of user activity, allowing the attackers to monitor sensitive data in real-time.
A Formidable Chinese Cyber Threat Emerges
Check Point uncovered Silver Dragon’s links to APT41 through “strong tradecraft similarities” in how it uses BamboLoader and post-exploitation installation scripts that align with the APT’s tactics, according to the report.
APT41 (aka Double Dragon, Barium, Winnti, Wicked Spider, and Wicked Panda) is an APT that has been tracked by security researchers since at least 2012 and is best known for espionage conducted on behalf of the Chinese government. The group even went so far as to impersonate a US lawmaker in its malicious activities during critical US-China trade engagements last year. APT41’s members also have been known to conduct financially motivated activity.
Silver Dragon is likely to follow more of a strategic espionage path rather than seek financial gain, but it is uniquely dangerous due to its use of legitimate system resources to hide its activities, according to Check Point.
Organizations — particularly those in the public sector — should prioritize patching Internet-facing systems to avoid exploit of known vulnerabilities as part of their defense against the group. They also should monitor for unauthorized modifications to Windows service configurations and look out for indicators of compromise (IoCs), which Check Point shared in the report.
Source: www.darkreading.com…