- Chinese state-backed group Silver Dragon targets governments
- Attackers abuse Google Cloud and Windows services for stealth
- Custom backdoor GearDoor enables covert data exfiltration
Chinese state-sponsored threat actors have been seen abusing legitimate Windows and Google Cloud services to cover their tracks while spying on their targets across Southeast Asia and Europe.
A new report from Check Point Research (CPR) reveals how a group called Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary and Italy – but also Japan, Myanmar and Malaysia.
Silver Dragon appears to be part of APT41, a notorious state-sponsored actor mainly engaged in cyber espionage.
Exploitation of ordinary “noise”
The attacks usually start with a phishing email, mimicking official communications and sharing weapon-based documents and links. Alternatively, the group would go after Internet-exposed systems, compromise servers and pivot deeper into internal networks to deploy additional tools.
At the heart of the campaign is a custom backdoor called GearDoor, which instead of the usual shady server uses Google Drive as its command-and-control (C2) infrastructure. Each infected machine creates a Google Cloud folder on a dedicated account, uploads periodic heartbeat data, and retrieves operator commands disguised as regular files.
All stolen intelligence is exfiltrated to the same location.
Silver Dragon was also seen hijacking legitimate Windows services, stopping and restarting them to load malicious code with trusted names. These include Windows Update, Bluetooth, and .NET Framework tools.
By interfering with normal system activity, attackers are able to persist longer on a system without being detected by defenders. CPR says the tactic works extremely well in large environments “where system services generate routine noise.”
The hackers also implement a wide variety of post-exploitation tools, such as SSHcmd or Cobalt Strike. The former is a lightweight SSH tool that enables remote command execution and file transfer, while Cobalt Strike is a pervasive tool commonly abused by threat actors.
“Instead of relying solely on custom infrastructure, government actors are increasingly integrating into legitimate enterprise systems and trusted cloud services. This reduces visibility to traditional perimeter defenses and extends dwell time in targeted networks,” CPR concluded.
“For senior executives, the implication is clear: exposure is no longer limited to overt malware or suspicious external connections. The risk now includes subtle misuse of legitimate services, cloud platforms and core operating system components.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
