A Chinese state affiliated hacking group has carried out a prolonged cyber espionage campaign targeting government organizations in Europe and Southeast Asia since at least mid 2024, according to research from cybersecurity firm Check Point.
Researchers have named the operation Silver Dragon and linked it to APT41, a long running Chinese hacking collective known for conducting both state aligned espionage and financially motivated cyber operations. Security analysts say APT41 has targeted sectors including healthcare, telecommunications, high technology, education, travel services, and media.
Investigators found the attackers gain initial access by exploiting vulnerable public facing servers and through phishing emails containing malicious attachments. After breaching a network, the group hijacks legitimate Windows services so malicious processes blend into normal system activity and avoid detection.
Check Point identified three separate infection chains used by the attackers to deploy Cobalt Strike beacons, tools commonly used by threat actors to maintain persistent access inside compromised systems. Two of these chains rely on compressed archive files which launch batch scripts that trigger malware loaders.
One chain uses a technique called AppDomain hijacking and deploys a .NET based loader known as MonikerLoader. The loader decrypts and executes a second stage payload in memory which then installs the final Cobalt Strike component. Another chain delivers a heavily obfuscated C++ loader called BamboLoader which runs as a Windows service. The loader decrypts shellcode stored on disk and injects it into legitimate system processes such as taskhost.exe so the malicious activity appears routine.
A third attack chain involves targeted phishing emails sent primarily to victims in Uzbekistan. The emails include malicious Windows shortcut files. When opened, the file launches PowerShell commands that sideload BamboLoader through a compromised executable while displaying a decoy document to the victim.
Researchers also identified a backdoor known as GearDoor which communicates with attackers through Google Drive rather than traditional command and control infrastructure. Once installed on a system, the malware connects to a Google Drive account controlled by the attackers and uploads a file containing system information. The malware then checks the Drive account for instruction files that trigger tasks such as directory access, system reconnaissance, data exfiltration, or the execution of additional payloads.
Other tools used in the campaign include SilverScreen, which captures periodic screenshots of infected machines including cursor movement, and SSHcmd, a utility used to run remote commands and transfer files.
Security researchers linked the activity to APT41 based on overlapping scripts, malware techniques, and encryption methods previously associated with the group. Analysts say the campaign reflects a broader pattern in which advanced threat actors increasingly use trusted cloud services to hide malicious activity inside normal network traffic.
The findings highlight the continuing threat posed by state backed cyber espionage groups and the growing use of sophisticated malware and cloud based infrastructure to evade detection inside government and enterprise networks.
