Cybersecurity researchers have recently uncovered a cyber-espionage campaign carried out by a threat group known as Silver Dragon. Security analysts believe this group has connections to the Chinese-aligned hacking collective APT41. The campaign has mainly targeted government organizations across Europe and Southeast Asia. Reports suggest that the activity has been ongoing since mid-2024 and focuses on intelligence gathering.

Google Drive application shown on smartphone representing how attackers used Google Drive as command-and-control infrastructure in the APT41-linked Silver Dragon cyber espionage campaign.

Researchers found that the attackers use multiple techniques to infiltrate government networks. The operation was analyzed by security experts who identified several tools and malware involved in the campaign. The attackers rely on phishing emails, vulnerable servers, and custom malware to gain entry. Once inside, they attempt to maintain long-term access to the victim’s systems.

In many cases, the attack begins with the exploitation of internet-facing servers. The attackers scan for systems that contain known security vulnerabilities. When a vulnerable server is found, they exploit it to gain initial access. After entering the network, they move deeper into internal systems to expand their control.

Phishing hooks attached to a web URL representing malicious links used in targeted phishing attacks to infiltrate government systems.

Another common method used in this campaign is targeted phishing attacks. Victims receive emails that appear legitimate but contain malicious attachments. When the attachment is opened, hidden scripts silently install malware on the system. At the same time, a harmless document may appear to avoid raising suspicion.

One campaign highlighted by researchers targeted government organizations in Uzbekistan. In this case, the attackers used weaponized Windows shortcut files. These files triggered malicious PowerShell commands when opened by the victim. This allowed the attackers to begin executing their payload without the user realizing it.

Laptop showing system error screen symbolizing compromised or exploited servers during cyber intrusion into government networks.

After gaining access, the attackers deploy several tools to control the compromised systems. One of the main tools used is Cobalt Strike, which allows attackers to run commands remotely. It also enables them to move across the network and install additional payloads. This helps the attackers maintain persistence within the compromised environment.

Researchers also discovered custom tools used during the attacks. A backdoor called GearDoor is used to communicate with infected machines. Another tool named SilverScreen captures screenshots of the victim’s activity. The attackers also use SSHcmd, which allows remote command execution and file transfers through SSH.

Illustration of cloud-connected devices and network infrastructure representing how government systems and cloud services can be targeted during cyber espionage operations.

A unique feature of the campaign is the use of Google Drive as a command-and-control channel. The GearDoor malware communicates with attacker-controlled Google Drive accounts. Different file types are used to exchange commands and data between the attackers and infected systems. By using a trusted cloud service, the attackers are able to hide their activity within normal network traffic.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news