China-Linked “Silver Dragon” Cyber Espionage Campaign Targets Government Organizations in Southeast Asia and Europe

CyberDefender 9 mins0

A threat cluster referred to as Silver Dragon has been identified conducting cyber-espionage campaigns against government and public-sector organizations across Southeast Asia and parts of Europe. The activity has been observed since at least mid-2024 and shows strong operational similarities to the well-known APT41 ecosystem, suggesting a likely affiliation with Chinese state-aligned cyber operations.

The campaign demonstrates a combination of server exploitation, spear-phishing, custom malware deployment, and covert command-and-control infrastructure. These operations emphasize stealth, persistence, and long-term intelligence collection rather than immediate disruption.

Victim organizations are primarily government ministries and public-sector entities, particularly in Southeast Asia, with additional cases observed in several European countries.

Operational Objectives

The observed tradecraft indicates that Silver Dragon’s campaigns are primarily cyber-espionage operations. The attackers focus on gaining persistent access to target networks in order to monitor user activity and extract sensitive information over extended periods.

Unlike financially motivated threat actors, Silver Dragon emphasizes:

  • Long-term persistence within victim networks
  • Covert data collection and exfiltration
  • Use of legitimate infrastructure and services to evade detection

This approach aligns with historical patterns associated with state-sponsored intelligence gathering campaigns.

Initial Access Techniques

Silver Dragon relies on two primary entry vectors to compromise targeted networks.

1. Exploitation of Public-Facing Servers

Attackers actively scan and exploit vulnerabilities in internet-exposed services. Once a server is compromised, it becomes an entry point for further lateral movement within the organization’s internal network.

2. Spear-Phishing Campaigns

Targeted phishing emails are used to deliver malicious attachments. These attachments frequently masquerade as official documents related to government communications.

In several campaigns, weaponized files were sent to government officials, including malicious LNK attachments that trigger the execution of embedded loaders while presenting a decoy document to the victim.

Infection Chains

Researchers identified three primary infection chains used by the group. Despite differences in delivery methods, each chain ultimately results in the deployment of Cobalt Strike beacons as the primary payload.

AppDomain Hijacking

This technique involves placing malicious configuration files alongside legitimate Windows binaries. When the legitimate executable runs, the malicious configuration triggers the loading of attacker-controlled components.

Service DLL Hijacking

Attackers register a malicious DLL as a Windows service using names that mimic legitimate system services, such as:

  • Windows Update components
  • Bluetooth service utilities
  • .NET-related system services

This approach enables persistence while blending malicious activity with normal system processes.

Phishing-Driven LNK Execution

The third chain relies on malicious shortcut files delivered through phishing emails. Once executed, these files initiate the loading of additional payloads that eventually deploy the Cobalt Strike framework.

Payload Deployment and Post-Exploitation

After gaining an initial foothold, Silver Dragon deploys Cobalt Strike beacons to establish command-and-control communication with attacker infrastructure. These beacons enable remote control, lateral movement, and further payload deployment.

To avoid detection, command traffic may be tunneled through DNS-based channels, which allows attackers to bypass traditional network monitoring that focuses primarily on HTTP or HTTPS traffic.

Custom Malware and Tooling

In addition to widely used frameworks like Cobalt Strike, Silver Dragon uses several custom post-exploitation tools.

GearDoor Backdoor

One of the most notable components of the campaign is GearDoor, a custom .NET backdoor that uses Google Drive as its command-and-control infrastructure.

Instead of communicating with suspicious external servers, compromised systems interact with a dedicated Google Drive account. Commands and results are exchanged through file uploads and downloads, allowing malicious traffic to blend with legitimate cloud storage activity.

GearDoor uses specific file extensions to determine task execution:

  • .cab – command execution
  • .pdf – directory operations
  • .rar – payload deployment or updates
  • .7z – execution of .NET plugins

After completing tasks, results are uploaded back to the cloud using .bak files as confirmation markers.

SilverScreen

SilverScreen is a surveillance utility designed to capture periodic screenshots of active user sessions. The tool uses change detection to minimize disk usage while providing attackers with continuous visibility into user activity.

SSHcmd

SSHcmd is a lightweight SSH wrapper utility that enables remote command execution and file transfers over secure shell sessions. The tool allows attackers to maintain interactive access to compromised hosts without requiring traditional login sessions.

Persistence Mechanisms

A distinctive feature of Silver Dragon’s operations is its method of persistence. Instead of creating obviously malicious services, the attackers hijack existing Windows services and replace their functionality with malicious components.

By reusing legitimate service names, the malware processes blend into normal system operations, making detection significantly more difficult for defenders monitoring large enterprise environments.

Indicators of APT41 Affiliation

Multiple indicators suggest that Silver Dragon operates within the APT41 ecosystem. These include:

  • Similar malware installation scripts
  • Overlapping loader techniques and decryption routines
  • Comparable Cobalt Strike configurations
  • Compilation timestamps consistent with China Standard Time (UTC+8)

Together, these factors strongly support attribution to a Chinese-aligned threat actor.

Conclusion

Silver Dragon represents a sophisticated espionage-oriented threat actor leveraging a blend of traditional penetration techniques and custom malware to achieve long-term access within high-value targets.

Key characteristics of the campaign include:

  • Exploitation of internet-facing infrastructure
  • Targeted spear-phishing operations
  • Deployment of Cobalt Strike and custom loaders
  • Persistence through hijacked Windows services
  • Cloud-based command-and-control using Google Drive

The combination of stealthy persistence, cloud-based C2 infrastructure, and modular tooling demonstrates a mature intrusion framework designed for sustained intelligence collection. As a result, organizations in targeted regions—particularly government institutions—should strengthen monitoring of service modifications, DNS anomalies, and suspicious interactions with cloud storage platforms.

CyberDefender