Security researchers at Check Point Software have identified a threat group, tracked as Silver Dragon, conducting cyber-espionage operations. Operating since at least mid-2024, the group primarily focuses on government entities in Southeast Asia and Europe. Silver Dragon, which researchers link to the advanced persistent threat (APT) group APT41, uses a combination of phishing campaigns and public-facing server vulnerabilities to gain unauthorized access to networks. Once inside, the group hijacks legitimate system services for command-and-control (C2) and persistence, allowing its activities to blend into normal system behavior.
According to Check Point's published analysis, the group continually updates its methodologies: "Throughout our analysis, we observed that the group continuously evolves its tooling and techniques, actively testing and deploying new capabilities across different campaigns. The use of diverse vulnerability exploits, custom loaders, and sophisticated file-based C2 communication reflects a well-resourced and adaptable threat group."
Three infection chains for initial access
Silver Dragon relies on three primary infection chains to establish an initial foothold. The first two, AppDomain hijacking and Service DLL hijacking—share operational similarities. Both methods rely on the delivery of a RAR archive containing an installation batch script, which indicates a shared delivery mechanism. Researchers note these chains are often deployed following the compromise of publicly exposed, vulnerable servers, suggesting their use in post-compromise scenarios.
The third access strategy involves a phishing campaign delivering a maliciously crafted LNK file. Researchers linked this tactic to Silver Dragon based on the use of similar loaders, collectively tracked as "BamboLoader." In one observed campaign, the threat actors sent phishing emails to government entities in Uzbekistan, impersonating official correspondence to deploy the LNK files.
After gaining access, the group uses Service DLL hijacking to hide unauthorized code within legitimate Windows services. This technique is designed to achieve long-term persistence while evading standard endpoint detection software.
Custom tools and infrastructure
To maintain early access to compromised hosts, Silver Dragon deploys Cobalt Strike beacons, followed by a DNS tunneling tool for C2 communication that helps bypass network-level detection.
Recent operations have also introduced a custom backdoor named GearDoor. This tool uses Google Drive as its C2 channel, allowing the group to communicate covertly over a trusted cloud service. The group maintains two additional custom utilities: SSHcmd, a command-line tool that enables remote access and lateral movement within a network, and SilverScreen, a surveillance program designed to capture periodic screenshots of user activity to monitor sensitive data.
Connections to APT41
Check Point correlated Silver Dragon with APT41 based on strong tradecraft similarities, particularly in their use of BamboLoader and post-compromise installation scripts.
APT41 (also known as Double Dragon, Barium, Winnti, Wicked Spider, and Wicked Panda) has been active since at least 2012. Known primarily for state-sponsored espionage, the group occasionally engages in financially motivated activity. In a high-profile incident last year, APT41 operators impersonated a US lawmaker during critical US-China trade engagements to gather intelligence.
Recommendations for defense
While Silver Dragon appears focused on strategic espionage rather than financial gain, its ability to hide within legitimate system resources makes detection challenging. To defend against these operations, we recommend that organizations. Especially those in the public sector—prioritize patching internet-facing systems to close known vulnerabilities. Security teams should also monitor for unauthorized modifications to Windows service configurations and review their environments for the indicators of compromise (IoCs) detailed in Check Point’s report.