🇨🇳 CN7 malware families

Silver Dragon

Also known assilver_dragon

Silver Dragon is a China-linked, Chinese-aligned cyberespionage threat group assessed by Check Point Research with high confidence to be linked to the APT41 ecosystem and likely operating under the APT41 umbrella. It has targeted organizations across Southeast Asia and Europe since at least mid-2024, with a particular focus on government entities, government ministries, and other public sector or high-profile organizations. Reported targeting includes government entities in Uzbekistan. Observed initial access methods include exploitation of public-facing internet servers and phishing emails with malicious attachments, including weaponized LNK files. Check Point described three infection chains used by the group: AppDomain hijacking, service DLL hijacking/deployment, and phishing with malicious LNK attachments. In these campaigns, Silver Dragon deployed Cobalt Strike beacons after compromise and also used DNS tunneling, HTTP communications in some cases, and SMB for communications within victim networks. For persistence and stealth, Silver Dragon hijacks legitimate Windows services and components, including Windows Update, .NET utilities, Bluetooth-related components, and services such as wuausrv, bthsrv, DfSvc, tzsync, and COMSysAppSrv. Reported loaders and malware used by the group include MonikerLoader, BamboLoader, and GearDoor. GearDoor is a .NET backdoor that uses Google Drive as a file-based command-and-control channel, exchanging encrypted tasking and results through files and per-victim folders. Additional custom tooling includes SilverScreen, used for screenshot capture, and SSHcmd, a .NET SSH utility used for remote command execution, file transfer, and remote access/lateral movement. Check Point also reported tradecraft overlap with APT41, including similarities to installation scripts previously documented by Mandiant, use of BamboLoader-related mechanisms, and operational correlation with campaigns previously associated with APT41. The content describes Silver Dragon as a spinoff of APT41 and a China-nexus group tied to that ecosystem. Known alias in the provided content: silver_dragon.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

42 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics59 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1190×6

Exploit Public-Facing Application

T1566×2

Phishing

T1566.001×7

Spearphishing Attachment

TA0002

Execution

5 techniques

T1053

Scheduled Task/Job

T1059

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.003×3

Windows Command Shell

T1106

Native API

T1204

User Execution

T1204.002×3

Malicious File

T1574

Hijack Execution Flow

T1574.001×4

DLL

T1574.011

Services Registry Permissions Weakness

T1574.014

AppDomainManager

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1543

Create or Modify System Process

T1543.003×6

Windows Service

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1055×3

Process Injection

T1055.001

Dynamic-link Library Injection

T1543

Create or Modify System Process

T1543.003×6

Windows Service

TA0005

Stealth

7 techniques

T1027×2

Obfuscated Files or Information

T1036

Masquerading

T1055×3

Process Injection

T1055.001

Dynamic-link Library Injection

T1140×2

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1574

Hijack Execution Flow

T1574.001×4

DLL

T1574.011

Services Registry Permissions Weakness

T1574.014

AppDomainManager

T1620×3

Reflective Code Loading

TA0007

Discovery

5 techniques

T1018

Remote System Discovery

T1049

System Network Connections Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.004×6

SSH

TA0009

Collection

3 techniques

T1074

Data Staged

T1113×9

Screen Capture

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

6 techniques

T1071×2

Application Layer Protocol

T1071.001×4

Web Protocols

T1071.002

File Transfer Protocols

T1071.003

Mail Protocols

T1071.004×4

DNS

T1090

Proxy

T1090.002

External Proxy

T1102×3

Web Service

T1102.002×3

Bidirectional Communication

T1102.003

One-Way Communication

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

GearDoorIts custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.11Jun 11, 2026

SSHcmdRecent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...10Mar 9, 2026

SilverScreenRecent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...8Mar 9, 2026

Cobalt StrikeResearchers at Check Point said the group has been active since mid-2024... deploy Cobalt Strike beacons for remote access.7Mar 6, 2026

BamboLoader"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"4Mar 4, 2026

2 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

eclecticiq blogNews

Jun 11, 2026

The Escalating Cyber Risk Landscape in Regional Conflicts & Strategic Actions for 2026

China-nexus espionage group conducting sustained intrusions against government ministries in Southeast Asia and Europe, using server exploitation, phishing, service hijacking, and cloud-masked command and control.

checkpoint research blogNews

Mar 9, 2026

9th March - Threat Intelligence Report - Check Point Research

Chinese-aligned group linked to APT41 targeting government and enterprise networks in Southeast Asia and Europe; uses GearDoor backdoor with SSHcmd and SilverScreen for remote access, covert screen capture, and stealthy control following phishing and server exploitation.

dark readingNews

Mar 9, 2026

Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

APT41-linked spinoff activity cluster reported by Check Point as conducting a lengthy campaign targeting Asia; specific tooling and TTPs not described in this content.

security affairsNews

Mar 8, 2026

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87

Activity cluster reported targeting organizations in Southeast Asia and Europe.

+11 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping42

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.