New Silver Dragon APT Group Linked to Global Cyber Attacks

Silver Dragon Hackers Target Governments and Organizations in Global Cyber Espionage Campaign

Cybersecurity researchers have uncovered a sophisticated hacking group known as Silver Dragon, which has been carrying out cyber-espionage operations against organizations in Europe and Southeast Asia since at least mid-2024.

According to a recent technical analysis by security researchers, the attackers rely on a mix of server exploits and phishing campaigns to gain entry into targeted systems. Once inside a network, they deploy stealthy malware designed to blend into normal Windows processes, making detection significantly more difficult.

Initial Access Through Server Exploits and Phishing Emails

Investigators say Silver Dragon typically begins its attacks by targeting public-facing internet servers that contain security vulnerabilities. In other cases, the attackers use phishing emails with malicious attachments to trick victims into launching the infection chain.

After gaining access, the group maintains control over compromised systems by taking over legitimate Windows services. This tactic allows malicious processes to operate quietly in the background without raising immediate alarms.

Possible Connection to Chinese APT41

Security analysts believe Silver Dragon may be connected to APT41, a well-known Chinese cyber-espionage group that has been active for more than a decade.

APT41 has previously been associated with attacks against multiple industries including:

  • healthcare
  • telecommunications
  • technology companies
  • education institutions
  • media organizations
  • travel services

While the group has historically conducted espionage operations linked to national interests, it has also been observed engaging in financially motivated cybercrime activities.

Attack Campaigns Focused on Government Targets

Most of the recent Silver Dragon operations appear to focus on government institutions, where attackers deploy Cobalt Strike beacons to maintain long-term access inside compromised networks.

To communicate with their command servers, the attackers use DNS tunneling, a technique that hides malicious traffic within normal DNS requests. This helps the attackers avoid detection by traditional network security tools.

Three Different Infection Techniques Identified

Researchers discovered that Silver Dragon uses three main infection methods to deliver its malware payloads.

1. AppDomain Hijacking

This method begins with a compressed archive containing a script that launches a malware loader known as MonikerLoader, a .NET-based tool.

MonikerLoader decrypts and runs additional malware directly in memory, eventually loading a Cobalt Strike payload used for remote access.

2. Malicious Windows Service DLL

Another attack technique involves a custom loader known as BamboLoader, which is installed as a Windows service.

This heavily obfuscated malware decrypts hidden shellcode stored on disk and injects it into legitimate Windows processes such as taskhost.exe. By running inside trusted processes, the malware can operate without raising suspicion.

3. Phishing Campaign With Weaponized Shortcuts

The third infection chain uses phishing emails containing malicious Windows shortcut (LNK) files.

These attachments trigger hidden PowerShell commands that download and run additional components, including:

  • A fake document used as a decoy
  • A legitimate program vulnerable to DLL side-loading
  • A malicious DLL containing BamboLoader
  • An encrypted Cobalt Strike payload

While the victim views the decoy document, the malicious components are executed quietly in the background.

Additional Malware Tools Used by Silver Dragon

The attackers also deploy several custom tools after gaining access to a system.

These tools include:

SilverScreen
A monitoring tool that captures screenshots of user activity and records mouse movements.

SSHcmd
A command-line utility that allows attackers to execute commands and transfer files through SSH connections.

GearDoor
A backdoor program that communicates with its command server using Google Drive as a covert communication channel.

Google Drive Used as Command-and-Control Channel

One unusual feature of the attack is the use of Google Drive for command-and-control communication.

The GearDoor backdoor connects to an attacker-controlled Google Drive account and uploads a small file containing system information from the infected computer.

The attackers then send commands to the infected machine by uploading specially formatted files to the same Drive account.

Different file extensions are used to indicate different commands, including:

  • .png files for system heartbeat messages
  • .pdf files for executing commands and managing files
  • .cab files for gathering system information and process data
  • .rar files for delivering malware payloads
  • .7z files for loading additional plugins

After the commands are executed, the results are uploaded back to the cloud storage service.

A Highly Adaptable Threat Group

Security researchers say Silver Dragon continues to update its tools and attack techniques across different campaigns.

The group’s use of custom malware loaders, multiple infection chains, and cloud-based command channels suggests a well-funded and technically skilled operation capable of adapting to evolving security defenses.

Because of the overlap in techniques and malware components, experts believe the group’s activities share similarities with tools previously used by China-linked cyber-espionage operations.