- Chinese state-owned group Silver Dragon targets governments
- Attackers abuse Google Cloud and Windows services for stealth
- GearDoor Custom Backdoor Enables Covert Data Exfiltration
Chinese state-sponsored threat actors have been seen abusing legitimate Windows and Google Cloud services to cover their tracks while spying on their targets across Southeast Asia and Europe.
A new report from Check Point Research (CPR) reveals how a group called Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary and Italy, but also Japan, Myanmar and Malaysia.
Silver Dragon appears to be part of APT41, an infamous state-sponsored actor that primarily engages in cyber espionage.
Taking advantage of regular “noise”
Attacks typically begin with a phishing email, posing as official communications and sharing weaponized documents and links. Alternatively, the group would opt for Internet-exposed systems, compromising servers and delving into internal networks to deploy additional tools.
At the center of the campaign is a custom backdoor called GearDoor that, instead of the usual suspicious server, uses Google Drive as its command and control (C2) infrastructure. Each infected machine creates a Google Cloud folder in a dedicated account, uploads periodic heartbeat data, and retrieves operator commands disguised as normal files.
All stolen intelligence is exfiltrated in that same place.
Silver Dragon was also seen hijacking legitimate Windows services, stopping and recreating them to load malicious code with trusted names. These include the Windows Update, Bluetooth, and .NET Framework utilities.
By integrating into normal system activity, attackers can persist longer in a system, undetected by defenders. CPR says the tactic works extremely well in large environments “where system services generate routine noise.”
Hackers also deploy a wide range of post-exploitation tools, such as SSHcmd or Cobalt Strike. The former is a lightweight SSH utility that allows remote command execution and file transfer, while Cobalt Strike is a pentesting tool that is often abused by threat actors.
“Rather than relying solely on customized infrastructure, state-aligned actors are increasingly integrating into legitimate enterprise systems and trusted cloud services. This reduces the visibility of traditional perimeter defenses and extends the dwell time within targeted networks,” CPR concluded.
“For executive leadership, the implication is clear: exposure is no longer limited to obvious malware or suspicious external connections. Risk now includes subtle abuse of legitimate services, cloud platforms, and core operating system components.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
