A sophisticated China-linked threat group, identified as Silver Dragon, has been actively targeting government and high-profile organizations across Southeast Asia and Europe since at least mid-2024. Operating under the broader umbrella of APT41, this group employs a multi-pronged approach to infiltrate networks, leveraging vulnerabilities in public-facing servers and sophisticated phishing tactics. Their objective is to exfiltrate sensitive data, conduct surveillance, and maintain persistent, covert access.
Silver Dragon’s modus operandi involves a meticulously planned sequence of actions. Initial compromises often stem from exploiting internet-facing servers or tricking individuals into opening malicious attachments. Upon gaining a foothold, the group rapidly deploys Cobalt Strike beacons to seize control of infected machines. Command and control (C2) communications are then established through DNS tunneling, effectively masking malicious instructions within seemingly legitimate network traffic, making early detection a significant challenge for cybersecurity defenders.
GearDoor: Google Drive as a Hidden Command Channel
A landmark tool in Silver Dragon’s arsenal is GearDoor, a .NET backdoor that utilizes Google Drive for its command and control (C2) infrastructure. This innovative approach bypasses the need for dedicated attacker servers, which are often flagged by security solutions. By routing communications through an established cloud service like Google Drive, Silver Dragon effectively camouflages its malicious traffic as ordinary cloud storage activity. Once successfully deployed on a victim’s system, GearDoor creates a unique folder within Google Drive for each infected machine, named using a SHA-256 hash of the machine’s hostname. This organizational method aids the attackers in managing their compromised assets.
GearDoor’s operational mechanism relies entirely on file uploads and downloads within the designated Google Drive folders. The file extension dictates the malware’s actions: a .cab file serves to deliver commands for execution, a .pdf file is used for directory-related tasks, a .rar file facilitates the deployment of new payloads or triggers self-updates, and a .7z file enables the execution of in-memory .NET plugins. Following the completion of each task, the malware meticulously deletes the input file and uploads a result file, typically with a .bak extension, to confirm the successful execution of the command.
Furthermore, the malware periodically uploads a “heartbeat” file, identified by the .png extension. This file contains crucial information about the infected machine, including its hostname, username, IP address, and operating system version, providing attackers with real-time status updates on active systems. All data exchanged via Google Drive is secured through encryption using the DES algorithm. The encryption key is derived from the initial eight characters of an MD5 hash of a hardcoded string within the malware. The evolving command set employed by GearDoor, with modifications and additions appearing across different versions, indicates that the Silver Dragon group is engaged in continuous testing and development of its capabilities.
Check Point Research has identified three distinct infection chains employed by Silver Dragon, all culminating in the deployment of Cobalt Strike as the final payload. One prevalent method involves AppDomain hijacking, where a malicious configuration file is placed alongside a legitimate Windows binary. This ensures that the malicious code executes automatically every time the legitimate binary is launched. This technique, also referred to as DLL hijacking or binary planting, is a well-known method for gaining initial execution.
Another technique