APT group Silver Dragon, linked to APT41, targets governments via server exploits and phishing, using Cobalt Strike and Google Drive for C2.Check Point researchers have identified Silver Dragon, an APT group tied to the China-linked group APT41, targeting government entities in Europe and Southeast Asia since mid-2024. The group gains initial access by exploiting public-facing servers and sending phishing emails with malicious attachments. It maintains persistence by hijacking legitimate Windows services and uses tools like Cobalt Strike and Google Drive-based command-and-control to evade detection.The attack chain rely on AppDomain hijacking, malicious service DLL deployment, and weaponized LNK attachments. The group leverages heavily obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory, hijack legitimate Windows services for persistence, and evade detection. Evidence suggests the use of an automated framework to generate tailored attack packages.“All files contained within the initial archive shared an identical creation timestamp, which strongly suggests the use of an automated payload generation framework.” reads the report published by Check Point. “Supporting this assumption, we recovered a log file from one archive that appears to document per-attack configuration parameters, including file paths, service names, encryption keys, and injected processes.”Both MonikerLoader and BamboLoader ultimately deploy Cobalt Strike beacons as the final payload, using cracked versions configured for DNS tunneling, HTTP via Cloudflare, or even SMB communication within compromised networks.Beyond Cobalt Strike, Silver Dragon relies on custom post-exploitation tools. SilverScreen covertly captures screenshots, compresses them, and stores them for later exfiltration. SSHcmd enables remote command execution and file transfer over SSH. GearDoor, a .NET backdoor, uses Google Drive as a command-and-control channel, encrypting communications and managing tasks through specially crafted file extensions.Together, these tools provide persistence, stealthy data exfiltration, lateral movement, plugin execution, and even self-updating capabilities, highlighting an advanced and modular intrusion framework.Silver Dragon mainly targets high-profile government organizations, focusing largely on Southeast Asia, with additional activity observed in parts of Europe.“Throughout our analysis, we observed that the group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns.” concludes the report. “The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, APT41)