APT41-Linked Silver Dragon Targets Governments with Cobalt Strike and Google Drive C2
Check Point researchers disclose Silver Dragon, a China-linked APT group tied to APT41, targeting government entities across Europe and Southeast Asia using Cobalt Strike beacons, DNS tunneling, and a novel .NET backdoor that communicates through Google Drive.
Check Point Research has disclosed Silver Dragon, an APT group tied to the China-linked APT41 threat actor, targeting government entities in Europe and Southeast Asia since mid-2024. The group uses a sophisticated toolchain that includes Cobalt Strike beacons, DNS tunneling, and a novel .NET backdoor called GearDoor that communicates through Google Drive.
Attack Infrastructure
Silver Dragon's primary command-and-control mechanism abuses Google Drive as a communication channel. The GearDoor backdoor uploads encrypted status reports and command responses to attacker-controlled Google Drive folders, and downloads new commands from the same locations. This technique makes C2 traffic difficult to distinguish from legitimate Google Drive usage — a significant challenge for network security monitoring tools that typically allow Google Drive traffic without inspection.
Post-Exploitation Tools
Once inside a target network, Silver Dragon deploys custom post-exploitation tools including SilverScreen (a screen monitoring tool that captures screenshots at configurable intervals and exfiltrates them through the Google Drive C2 channel) and SSHcmd (a remote command execution tool that creates an SSH tunnel to attacker infrastructure for interactive access). The group also uses DNS tunneling as a backup C2 channel, encoding commands and responses in DNS queries to attacker-controlled domains.
Targets and Attribution
Check Point's investigation identified government ministries, diplomatic missions, and defense-related organizations across Europe and Southeast Asia as primary targets. The group's tooling, infrastructure patterns, and target selection align with APT41's known operational profile — a Chinese state-sponsored group that conducts both espionage operations for intelligence purposes and financially motivated cybercrime. The dual-purpose nature of APT41's operations makes attribution complex, as the same tooling is used for both state-directed and personal financial operations.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.