Silver Dragon APT41-Linked Group Targets Governments with Cobalt Strike and Google Drive C2

First reported

04.03.2026 10:14

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Silver Dragon APT group, linked to APT41, has been targeting government entities in Europe and Southeast Asia since mid-2024. The group exploits public-facing servers and uses phishing emails with malicious attachments for initial access. They maintain persistence by hijacking legitimate Windows services and use Cobalt Strike beacons, DNS tunneling, and Google Drive for command-and-control (C2) communication. The group employs multiple infection chains, including AppDomain hijacking, service DLL, and email-based phishing, to deliver Cobalt Strike payloads. The group's activities include the use of custom tools like SilverScreen for screen monitoring, SSHcmd for remote command execution, and GearDoor for backdoor communication via Google Drive. The backdoor uses various file extensions to indicate different tasks and communicates with an attacker-controlled Google Drive account.

Timeline

04.03.2026 10:14 1 articles · 4h ago

Silver Dragon APT41-Linked Group Targets Governments with Cobalt Strike and Google Drive C2
Since mid-2024, the Silver Dragon APT group has been targeting government entities in Europe and Southeast Asia. The group exploits public-facing servers and uses phishing emails with malicious attachments for initial access. They maintain persistence by hijacking legitimate Windows services and use Cobalt Strike beacons, DNS tunneling, and Google Drive for C2 communication. The group employs multiple infection chains, including AppDomain hijacking, service DLL, and email-based phishing, to deliver Cobalt Strike payloads. The group's activities include the use of custom tools like SilverScreen for screen monitoring, SSHcmd for remote command execution, and GearDoor for backdoor communication via Google Drive. The backdoor uses various file extensions to indicate different tasks and communicates with an attacker-controlled Google Drive account.
Show sources

APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
Open in new tab

Information Snippets

Silver Dragon exploits public-facing internet servers and delivers phishing emails with malicious attachments for initial access.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
The group hijacks legitimate Windows services to maintain persistence and blend malware processes into normal system activity.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
Silver Dragon uses Cobalt Strike beacons for persistence and DNS tunneling for C2 communication.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
Three infection chains identified: AppDomain hijacking, service DLL, and email-based phishing.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
AppDomain hijacking and service DLL chains are delivered via compressed archives and show operational overlap.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
The phishing campaign targets Uzbekistan with malicious Windows shortcuts (LNK) as attachments.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
The group uses custom tools like SilverScreen, SSHcmd, and GearDoor for post-exploitation activities.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
GearDoor backdoor communicates with C2 infrastructure via Google Drive using different file extensions for various tasks.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14
Silver Dragon's links to APT41 include tradecraft overlaps and decryption mechanisms observed in China-nexus APT activity.
First reported: 04.03.2026 10:14

1 source, 1 article
Show sources
- APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2 — thehackernews.com — 04.03.2026 10:14