APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2  Ravie Lakshmanan  Mar 04, 2026 Malware / Windows Security Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon that has been linked to cyber attacks targeting entities in Europe and Southeast Asia since at least mid-2024. "Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments," Check Point said in a technical report. "To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity." Silver Dragon is assessed to be operating within the APT41 umbrella . APT41 is the cryptonym assigned to a prolific Chinese hacking group known for its targeting of healthcare, telecoms, high-tech, education, travel services, and media sectors for cyber espionage as early as 2012. It's also believed to engage in financially motivated activity potentially outside of state control. Attacks mounted by Silver Dragon have been found to primarily single out government entities, with the adversary using Cobalt Strike beacons for persistence on compromised hosts. It's also known to employ techniques like DNS tunneling for command-and-control (C2) communication to bypass detection. Check Point said it identified three different infection chains to deliver Cobalt Strike: AppDomain hijacking , service DLL, and email-based phishing. "The first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap," the cybersecurity company said. "They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers." The two chains make use of a RAR archive containing a batch script, with the first chain using it to drop MonikerLoader, a NET-based loader responsible for decrypting and executing a second-stage directly in memory. The second stage, for its part, mimics MonikerLoader's behavior, acting as a conduit for loading the final Cobalt Strike beacon payload. On the other hand, the service DLL chain uses a batch script to deliver a shellcode DLL loader dubbed BamboLoader, which is registered as a Windows service. A heavily obfuscated C++ malware, it's used to decrypt and decompress shellcode staged on disk, and inject it into a legitimate Windows process, such as "taskhost.exe." The binary targeted for injection is configurable within BamboLoader. The third infection chain involves a phishing campaign that has primarily targeted Uzbekistan with malicious Windows shortcuts (LNK) as attachments. The weaponized LNK file is designed to launch PowerShell code by means of "cmd.exe," leading to the extraction and execution of next-stage payloads. This includes four different files - Decoy document Legitimate executable vulnerable to DLL side-loading ("GameHook.exe") Malicious DLL aka BamboLoader ("graphics-hook-filter64.dll") Encrypted Cobalt Strike payload ("simhei.dat") As part of this campaign, the decoy document is displayed to the victim, while, in the background, the rogue DLL is sideloaded via "GameHook.exe" to ultimately launch Cobalt Strike. The attacks are also characterized by the deployment of various post-exploitation tools - SilverScreen , a .NET screen-monitoring tool used to capture periodic screenshots of user activity, including precise cursor positioning. SSHcmd , a .NET command-line SSH utility that provides remote command execution and file transfer capabilities over SSH. GearDoor , a NET backdoor that shares similarities with MonikerLoader and communicates with its C2 infrastructure via Google Drive. Once executed, the backdoor authenticates to the attacker-controlled Google Drive account and uploads a heartbeat file containing basic system information. Interestingly, the backdoor utilizes different file extensions to indicate the nature of the task to be performed on the infected host. The results of the task execution are captured and uploaded to Drive. *.png , to send heartbeat files. *.pdf , to receive and execute commands, list the contents of a directory, make a new directory, and remove all files within a specified directory. The results of the operation are sent to the server in the form of a *.db file. *.cab , to receive and execute commands to gather host information and a list of running processes, enumerate files and directories, run commands via "cmd.exe" or scheduled tasks, upload files to Google Drive, and terminate the implant. The execution status is uploaded as a .bak file. *.rar , to receive and execute payloads. If the RAR file is named "wiatrace.bak," the backdoor treats it as a self-update package. The results are uploaded as .bak files. *.7z , to receive and execute plugins in memory. The results are uploaded as .bak files. Silver Dragon's links to APT41 stem from tradecraft overlaps with post-exploitation installation scripts previously attributed to the latter and the fact that the decryption mechanism used by BamboLoader has been observed in shellcode loaders linked to China-nexus APT activity. "The group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns," Check Point said. "The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  APT , Cobalt Strike , cyber espionage , cybersecurity , Malware , Phishing , Threat Intelligence , windows security Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research