Silver Dragon: Chinese APT41-Linked Group Abuses Google Cloud and Windows Services for Espionage
A Chinese state-backed threat group, Silver Dragon, has been conducting cyber-espionage campaigns since at least mid-2024, targeting government entities across Southeast Asia and Europe, including Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia. Linked to the notorious APT41, the group employs sophisticated tactics to evade detection, leveraging legitimate services to conceal its operations.
The campaign begins with phishing emails impersonating official communications or exploits of internet-exposed systems, allowing attackers to infiltrate networks and deploy additional tools. Central to their strategy is GearDoor, a custom backdoor that uses Google Drive as a command-and-control (C2) infrastructure. Infected machines create dedicated Google Cloud folders to exchange heartbeat data and commands disguised as ordinary files, with stolen intelligence exfiltrated through the same channel.
Silver Dragon further obscures its presence by hijacking legitimate Windows services, such as Windows Update, Bluetooth, and .NET Framework utilities, stopping and recreating them to load malicious code under trusted names. This tactic blends malicious activity with routine system noise, extending dwell time in large, complex environments.
Post-exploitation, the group deploys tools like SSHcmd (for remote command execution and file transfers) and Cobalt Strike, a penetration testing framework frequently abused by threat actors. By embedding within trusted cloud services and enterprise systems, Silver Dragon reduces visibility for traditional defenses, complicating detection and response.
Researchers at Check Point Research (CPR) highlight the shift toward abusing legitimate infrastructure, noting that state-aligned actors increasingly exploit cloud platforms and core OS components to maintain persistence. The approach underscores the evolving challenge of identifying subtle, service-based threats in modern cyber-espionage operations.
GOVERNMENT OF MALAYSIA cybersecurity rating report: https://www.rankiteo.com/company/government-of-malaysia
"id": "GOV1776817481",
"linkid": "government-of-malaysia",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Government',
'location': ['Southeast Asia',
'Europe',
'Russia',
'Poland',
'Hungary',
'Italy',
'Japan',
'Myanmar',
'Malaysia'],
'type': 'Government Entities'}],
'attack_vector': ['Phishing Emails',
'Exploitation of Internet-Exposed Systems'],
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Stolen intelligence'},
'date_detected': '2024-06-01',
'description': 'A Chinese state-backed threat group, Silver Dragon, has been '
'conducting cyber-espionage campaigns since at least mid-2024, '
'targeting government entities across Southeast Asia and '
'Europe. The group, linked to APT41, uses phishing emails and '
'exploits of internet-exposed systems to deploy the GearDoor '
'backdoor, which leverages Google Drive for '
'command-and-control (C2) operations. The group also hijacks '
'legitimate Windows services to load malicious code, evading '
'detection and maintaining persistence.',
'impact': {'data_compromised': 'Stolen intelligence'},
'lessons_learned': 'State-aligned actors increasingly exploit legitimate '
'cloud platforms and core OS components to evade '
'detection, highlighting the need for enhanced monitoring '
'of trusted services.',
'motivation': 'State-Sponsored Espionage',
'post_incident_analysis': {'root_causes': 'Abuse of legitimate services '
'(Google Drive, Windows services) '
'for C2 and persistence, phishing, '
'and exploitation of '
'internet-exposed systems.'},
'references': [{'source': 'Check Point Research (CPR)'}],
'threat_actor': 'Silver Dragon (APT41-linked)',
'title': 'Silver Dragon: Chinese APT41-Linked Group Abuses Google Cloud and '
'Windows Services for Espionage',
'type': 'Cyber Espionage'}