top of page
Buscar

Silver Dragon’s Silent Reach: Cobalt Strike and Google Drive Power a New APT41 Campaign

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 4 horas
  • 4 Min. de lectura

Since at least mid-2024, a threat cluster known as Silver Dragon, assessed to operate within the ecosystem of the Chinese APT group APT41, has conducted cyber-espionage campaigns against government entities across Europe and Southeast Asia. The operation combines exploitation of vulnerable public-facing servers, spear-phishing, custom loaders, and covert command-and-control infrastructure using Google Drive, demonstrating the group’s evolving approach to persistence, stealth, and operational resilience.


Phase 1 — Initial Access: Servers and Phishing as Entry Points


Silver Dragon begins its operations by gaining a foothold through two primary entry vectors: the exploitation of vulnerable public-facing servers and phishing campaigns targeting government personnel.

In several incidents investigated by researchers, attackers first compromised externally exposed infrastructure that contained known vulnerabilities. Once inside the network perimeter, they deployed compressed archives containing scripts and loaders that initiated the infection chain.

In parallel, the group conducted phishing operations—particularly against targets in Uzbekistan—using emails containing malicious Windows shortcut (LNK) attachments. These weaponized files launched commands through cmd.exe, which subsequently executed PowerShell scripts designed to extract and deploy additional payloads.

The phishing payload typically contained multiple staged files, including a decoy document shown to the victim to reduce suspicion, a legitimate executable vulnerable to DLL side-loading, a malicious loader DLL, and an encrypted payload ultimately responsible for deploying the core implant.

These entry techniques mirror long-standing tactics used by APT41, which frequently blends opportunistic exploitation with targeted social engineering to infiltrate strategic institutions.


Phase 2 — Loader Deployment and Persistence


Once initial access is achieved, Silver Dragon moves to establish persistence using three distinct infection chains, all designed to deliver Cobalt Strike beacons.

The first two chains—AppDomain hijacking and Service DLL loaders—are typically deployed after a compromised server has already been obtained. These chains rely on compressed RAR archives containing batch scripts that activate malware loaders.

In the AppDomain hijacking scenario, the attackers deploy MonikerLoader, a .NET-based loader that decrypts a second-stage payload and executes it directly in memory. This stage ultimately loads the Cobalt Strike beacon, ensuring remote control while minimizing disk artifacts.

A second infection chain uses a loader called BamboLoader, a heavily obfuscated C++ implant registered as a Windows service. BamboLoader decrypts shellcode stored on disk and injects it into legitimate system processes such as taskhost.exe, enabling stealthy execution within trusted system activity.

Both approaches help the malware blend into the normal operating environment, making detection significantly more difficult.


Phase 3 — LNK Phishing Chain and Payload Execution


The third infection chain revolves around malicious LNK attachments distributed through phishing campaigns.

When opened, the shortcut executes a command via cmd.exe that launches PowerShell, triggering the extraction of several embedded components. These components include:

  • A decoy document presented to the victim

  • A legitimate executable vulnerable to DLL side-loading (GameHook.exe)

  • A malicious DLL loader (graphics-hook-filter64.dll)

  • An encrypted Cobalt Strike payload stored as simhei.dat

The legitimate executable is abused to sideload the malicious DLL, which decrypts the payload and ultimately launches the Cobalt Strike beacon.

While the victim believes they are viewing a harmless document, the system is quietly compromised in the background.


Phase 4 — Post-Exploitation Tooling


Once persistence is established, Silver Dragon deploys a suite of post-exploitation tools that enable surveillance and remote control across compromised systems.

One of these tools is SilverScreen, a .NET-based monitoring utility that periodically captures screenshots of user activity, including precise mouse cursor positioning. This allows attackers to observe victim behavior and track sensitive activity in real time.

Another tool, SSHcmd, provides remote command execution and file transfer capabilities over SSH, allowing operators to interact directly with the compromised host.

A third implant known as GearDoor functions as a backdoor that communicates with its command infrastructure via Google Drive. The backdoor authenticates to attacker-controlled Drive accounts and uploads a small heartbeat file containing system information, signaling that the compromised machine is active.


Phase 5 — Google Drive as Command-and-Control Infrastructure


A distinctive element of this campaign is the use of Google Drive as a command-and-control (C2) channel.

Instead of relying on conventional malware infrastructure such as dedicated C2 servers, the GearDoor backdoor communicates through files stored in an attacker-controlled Google Drive account.

Different file extensions indicate the type of task to perform:

  • .png files serve as heartbeat signals sent by infected hosts

  • .pdf files contain commands such as directory enumeration or command execution

  • .cab files instruct the malware to gather host information or execute scheduled tasks

  • .rar files deliver payloads or updates

  • .7z files deliver plugins executed directly in memory

Once a command is executed, the results are uploaded back to the Drive account in disguised formats such as .db or .bak files.

This approach allows the attackers to blend malicious communications with legitimate cloud traffic, making detection more challenging for defenders.


Measures to Fend Off the Attack


Organizations—particularly government institutions—can significantly reduce the risk posed by campaigns like Silver Dragon by adopting layered defensive strategies:

• Patch and continuously monitor public-facing servers for vulnerabilities

• Deploy advanced email filtering to detect phishing attachments and LNK files

• Monitor execution of suspicious scripting activity involving cmd.exe and PowerShell

• Detect DLL sideloading attempts and abnormal loader behavior

• Identify indicators associated with Cobalt Strike beacons

• Inspect unusual outbound connections to cloud services used as covert C2, including Google Drive

• Monitor processes such as taskhost.exe for injection activity

• Deploy behavioral EDR/XDR solutions capable of detecting in-memory payload execution


The Silver Dragon campaign illustrates how modern APT operations increasingly combine traditional exploitation techniques with stealthy cloud-based command infrastructure.

By leveraging Google Drive as a covert communication channel, deploying custom loaders, and maintaining persistence with Cobalt Strike, the threat actors demonstrate a flexible and well-resourced operational model.


The campaign’s overlaps with known APT41 tradecraft suggest continued evolution within China-linked cyber-espionage ecosystems, where threat groups regularly adapt their tooling to evade detection while expanding their geographic targeting.

For defenders, the lesson is clear: modern intrusion detection must move beyond signature-based methods and focus on behavioral monitoring, cloud traffic analysis, and rapid vulnerability remediation to counter increasingly sophisticated state-aligned operations.



The Hacker News


 
 
 

Comentarios

bottom of page