{"id":150,"date":"2026-03-04T09:30:04","date_gmt":"2026-03-04T09:30:04","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=150"},"modified":"2026-03-04T09:30:04","modified_gmt":"2026-03-04T09:30:04","slug":"apt41-linked-silver-dragon-targets-governments-using-cobalt-strike-and-google-drive-c2","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=150","title":{"rendered":"APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 04, 2026<\/span><\/span>Malware \/ Windows Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have disclosed details of an advanced persistent threat (APT) group dubbed Silver Dragon<\/strong> that has been linked to cyber attacks targeting entities in Europe and Southeast Asia since at least mid-2024.<\/p>\n

\u00abSilver Dragon gains its initial access by exploiting public-facing internet servers and by delivering phishing emails that contain malicious attachments,\u00bb Check Point said<\/a> in a technical report. \u00abTo maintain persistence, the group hijacks legitimate Windows services, which allows the malware processes to blend into normal system activity.\u00bb<\/p>\n

Silver Dragon is assessed to be operating within the APT41 umbrella. APT41 is the cryptonym assigned to a prolific Chinese hacking group known for its targeting of healthcare, telecoms, high-tech, education, travel services, and media sectors for cyber espionage as early as 2012. It’s also believed to engage in financially motivated activity potentially outside of state control.<\/p>\n

Attacks mounted by Silver Dragon have been found to primarily single out government entities, with the adversary using Cobalt Strike beacons for persistence on compromised hosts. It’s also known to employ techniques like DNS tunneling for command-and-control (C2) communication to bypass detection.<\/p>\n

Check Point said it identified three different infection chains to deliver Cobalt Strike: AppDomain hijacking<\/a>, service DLL, and email-based phishing.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe first two infection chains, AppDomain hijacking and Service DLL, show clear operational overlap,\u00bb the cybersecurity company said. \u00abThey are both delivered via compressed archives, suggesting their use in post\u2011exploitation scenarios. In several cases, these chains were deployed following the compromise of publicly exposed vulnerable servers.\u00bb<\/p>\n

The two chains make use of a RAR archive containing a batch script, with the first chain using it to drop MonikerLoader, a NET-based loader responsible for decrypting and executing a second-stage directly in memory. The second stage, for its part, mimics MonikerLoader’s behavior, acting as a conduit for loading the final Cobalt Strike beacon payload.<\/p>\n

<\/p>\n

On the other hand, the service DLL chain uses a batch script to deliver a shellcode DLL loader dubbed BamboLoader, which is registered as a Windows service. A heavily obfuscated C++ malware, it’s used to decrypt and decompress shellcode staged on disk, and inject it into a legitimate Windows process, such as \u00abtaskhost.exe.\u00bb The binary targeted for injection is configurable within BamboLoader.<\/p>\n

\"\"<\/a><\/div>\n

The third infection chain involves a phishing campaign that has primarily targeted Uzbekistan with malicious Windows shortcuts (LNK) as attachments. The weaponized LNK file is designed to launch PowerShell code by means of \u00abcmd.exe,\u00bb leading to the extraction and execution of next-stage payloads. This includes four different files –<\/p>\n