Future and its affiliate partners may earn a commission when you purchase through links on our articles.
Image source: Shutterstock
-
Chinese government-backed Silver Dragon Group targets government
-
Attackers abusing Google Cloud and Windows services for covert attacks
-
Custom backdoor GearDoor enables covert data leakage
Chinese state-sponsored threat actors have been found to be abusing legitimate Windows and Google Cloud services to hide their tracks while spying on targets in Southeast Asia and Europe.
A new report from Check Point Research (CPR) reveals that a group called Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary, and Italy, as well as Japan, Myanmar, and Malaysia.
Silver Dragon appears to be a member of APT41, a notorious state-sponsored group that engages in cyber espionage.
Harnessing regular “noise”
Attacks often begin with phishing emails, posing as official communications and sharing weaponized documents and links. Alternatively, the organization will take systems exposed to the Internet, compromise servers and delve deeper into the internal network to deploy additional tools.
At the heart of the campaign is a custom backdoor called GearDoor, which uses Google Drive as its command and control (C2) infrastructure instead of the usual suspect servers. Each infected machine creates a Google Cloud folder in a dedicated account, periodically uploads heartbeat data and retrieves operator commands disguised as regular files.
All stolen intelligence was infiltrated into the same location.
Silver Dragon has also been found to hijack legitimate Windows services, stopping and recreating them to load malicious code with trusted names. These include Windows Update, Bluetooth, and .NET Framework utilities.
By blending into normal system activity, attackers are able to remain on the system longer without being detected by defenders. CPR says this strategy works well in large environments where “system services generate daily noise.”
Hackers also deployed various post-exploitation tools such as SSHcmd or Cobalt Strike. The former is a lightweight SSH utility that enables remote command execution and file transfer, while Cobalt Strike is a penetration testing tool often abused by threat actors.
“No longer relying solely on custom infrastructure, nation-state coalition actors are increasingly embedding themselves within legitimate enterprise systems and trusted cloud services. This reduces visibility to traditional perimeter defenses and increases dwell time within target networks,” the CPR concluded.
“For executive leadership, the implications are clear: Exposure is no longer limited to obvious malware or suspicious external connections. Risks now include subtle misuse of legitimate services, cloud platforms, and core operating system components.”
Follow TechRadar on Google News and Add us as your preferred source Get our expert news, reviews and opinions in your feed. Be sure to hit the “Follow” button!
Of course you can Follow TechRadar on TikTok Get news, reviews, unboxings and regular updates from us in video format WhatsApp also.
