- Chinese group Silver Dragon targets governments
- Attackers abuse Google Cloud and Windows services for stealth purposes
- Custom GearDoor Backdoor Enables Secret Data Exfiltration
Chinese state-sponsored threat actors have been seen abusing legitimate Windows and Google Cloud services to hide their tracks while spying on their targets in Southeast Asia and Europe.
A new report from Check Point Research (CPR) reveals how a group called Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary and Italy, but also in Japan, Myanmar and Malaysia.
Silver Dragon appears to be part of APT41, an infamous state-sponsored actor that primarily engages in cyberespionage.
Take advantage of regular “noise”
Attacks typically begin with a phishing email, impersonating official communications and sharing weaponized documents and links. Alternatively, the group would opt for systems exposed to the Internet, compromising servers and digging deeper into internal networks to deploy additional tools.
At the heart of the campaign is a custom backdoor called GearDoor which, instead of the usual dodgy server, uses Google Drive as its command and control (C2) infrastructure. Each infected machine creates a Google Cloud folder in a dedicated account, downloads periodic heart rate data, and retrieves operator commands disguised as normal files.
All stolen information is exfiltrated in one place.
Silver Dragon has also been seen hijacking legitimate Windows services, shutting them down, and recreating them to load malicious code with trustworthy names. These include Windows Update, Bluetooth, and .NET Framework utilities.
By blending in with normal system activity, attackers are able to persist longer on a system, without being detected by defenders. CPR says this tactic works extremely well in large environments “where system services generate routine noise.”
Hackers also deploy a wide range of post-exploitation tools, such as SSHcmd or Cobalt Strike. The former is a lightweight SSH utility that allows remote command execution and file transfer, while Cobalt Strike is a penetration testing tool commonly used by malicious actors.
“Rather than relying solely on bespoke infrastructure, state actors are increasingly integrating with legitimate enterprise systems and trusted cloud services. This reduces the visibility of traditional perimeter defenses and extends dwell time within targeted networks,” CPR concluded.
“For executives, the implication is clear: Exposure is no longer limited to obvious malware or suspicious external connections. Risk now includes subtle abuse of legitimate services, cloud platforms, and core operating system components.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
