MalwareUsed by 3 actors

GearDoor

GearDoor is a .NET backdoor used in the China-linked Silver Dragon intrusion cluster, which multiple reports assess as operating within or overlapping the APT41 ecosystem. It has been used in cyberespionage campaigns targeting government and other high-profile organizations in Southeast Asia and Europe since at least mid-2024. Silver Dragon has delivered GearDoor after initial access obtained through exploitation of public-facing servers and phishing emails with malicious attachments, alongside other tooling such as Cobalt Strike, SSHcmd for remote command execution and file transfer, and SilverScreen for screenshot capture.

A defining characteristic of GearDoor is its use of Google Drive as a file-based command-and-control channel, including use of a dedicated Google Drive account, allowing malicious traffic to blend with trusted cloud-service usage. Reports describe GearDoor creating a unique Google Drive folder per infected machine using a SHA-256 hash of the hostname. It exchanges tasking and results through specially crafted file extensions: .cab for commands to execute, .pdf for directory tasks, .rar for payload delivery or self-update, and .7z for in-memory .NET plugin execution. After completing tasks, it deletes input files and uploads a .bak result file; it also uploads a heartbeat file with a .png extension containing host information such as hostname, username, IP address, and OS version.

Communications are described as encrypted; one report specifies DES encryption with the key derived from the first 8 characters of an MD5 hash of a hardcoded string. Reporting also notes similarities between GearDoor and MonikerLoader, and that changes in GearDoor command sets across versions suggest ongoing testing and development by the operators. High-confidence behavioral indicators directly mentioned in the content include Google Drive-based C2, encrypted file-based tasking via the extensions .cab, .pdf, .rar, .7z, .bak, and .png, and association with Silver Dragon/APT41-linked operations.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT41

Its custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.

via eclecticiq blogblog.eclecticiq.com

Silver Dragon

Its custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.

via eclecticiq blogblog.eclecticiq.com

APT17

"...Silver Dragon deployed GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel..."

via ctoatncsc substackctoatncsc.substack.com

MITRE ATT&CK

Techniques & procedures

27 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1190Exploit Public-Facing ApplicationEvidence4

Enterprise edge network devices such as routers, firewalls, and VPN appliances have become the primary exploitation surface for PRC-linked threat actors... confirmed exploitation of vulnerabilities in Ivanti Connect Secure, Palo Alto Networks PAN-OS, multiple Cisco IOS XE products, Fortinet, Juniper, SonicWall, Nokia, and Sierra Wireless devices.

T1566PhishingEvidence2

Silver Dragon... exploits internet-facing servers and uses phishing for initial access... eCrime actors are exploiting these conditions opportunistically by weaponizing conflict narratives through targeted phishing and fake humanitarian content to deliver infostealers and backdoors.

T1566.001Spearphishing AttachmentEvidence3

“...and by delivering phishing emails that contain malicious attachments.”

Execution

6 techniques

T1053Scheduled Task/JobEvidence1

"...run commands via 'cmd.exe' or scheduled tasks..."

T1059.001PowerShellEvidence1

"LNK files that triggered PowerShell commands, dropping additional malware components".

T1059.003Windows Command ShellEvidence1

"...launch PowerShell code by means of 'cmd.exe'" ... "run commands via 'cmd.exe' or scheduled tasks"

T1204.002Malicious FileEvidence1

"attackers sent LNK files that triggered PowerShell commands".

T1574.001DLLEvidence3

"malicious Windows shortcut files and DLL-based persistence techniques" and "load malicious DLLs".

T1574.011Services Registry Permissions WeaknessEvidence1

“To maintain persistence, the group hijacks legitimate Windows services…”

Persistence

1 technique

T1053Scheduled Task/JobEvidence1

"...run commands via 'cmd.exe' or scheduled tasks..."

Privilege Escalation

2 techniques

T1053Scheduled Task/JobEvidence1

"...run commands via 'cmd.exe' or scheduled tasks..."

T1134Access Token ManipulationEvidence1

GearDoor command list includes “steal_token <pid> Impersonates the security token…” and SilverScreen “relaunches itself… using token impersonation.”

Stealth

5 techniques

T1027Obfuscated Files or InformationEvidence1

“strings are entirely obfuscated using a Brainfuck-based string decryption routine… control flow flattening and inserting junk code…”

T1134Access Token ManipulationEvidence1

GearDoor command list includes “steal_token <pid> Impersonates the security token…” and SilverScreen “relaunches itself… using token impersonation.”

T1574.001DLLEvidence3

"malicious Windows shortcut files and DLL-based persistence techniques" and "load malicious DLLs".

T1574.011Services Registry Permissions WeaknessEvidence1

“To maintain persistence, the group hijacks legitimate Windows services…”

T1620Reflective Code LoadingEvidence1

"a .7z file runs an in-memory .NET plugin"

Discovery

5 techniques

T1018Remote System DiscoveryEvidence1

GearDoor supported commands include “ipconfig”, “netstat”, “ps” and directory listing operations.

T1049System Network Connections DiscoveryEvidence1

GearDoor command list includes “netstat”.

T1057Process DiscoveryEvidence1

GearDoor command list includes “ps None Lists running processes on the system.”

T1082System Information DiscoveryEvidence1

"uploads a heartbeat file... containing the machine’s hostname, username, IP address, and OS version"

T1083File and Directory DiscoveryEvidence1

"a .pdf file handles directory tasks"

Collection

1 technique

T1560.001Archive via UtilityEvidence1

"...delivered via compressed archives..." ... "RAR archive containing a batch script" ... "*.rar ... *.7z"

Command and Control

8 techniques

T1071Application Layer ProtocolEvidence1

Its custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.

T1071.001Web ProtocolsEvidence2

"GearDoor, a backdoor that communicates with command-and-control infrastructure through Google Drive."

T1090.002External ProxyEvidence1

Its custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.

T1102Web ServiceEvidence3

“...GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel…”

T1102.002Bidirectional CommunicationEvidence3

"...leveraged a dedicated Google Drive account as command-and-control infrastructure for its GearDoor backdoor..."

T1102.003One-Way CommunicationEvidence1

"...uses ... Google Drive-based command-and-control" ... "GearDoor, a .NET backdoor, uses Google Drive as a command-and-control channel"

T1105Ingress Tool TransferEvidence2

"a .rar file drops new payloads or triggers a self-update" and "a .7z file runs an in-memory .NET plugin"

T1573Encrypted ChannelEvidence1

"All data exchanged through Google Drive is encrypted using the DES algorithm"

Exfiltration

1 technique

T1567.002Exfiltration to Cloud StorageEvidence1

“GearDoor… exfiltrating information via Google Drive… the download command exfiltrates files from the infected host to Google Drive.”

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

eclecticiq blogNews

Jun 11, 2026

The Escalating Cyber Risk Landscape in Regional Conflicts & Strategic Actions for 2026

A custom backdoor used to disguise C2 traffic as normal Google Drive activity, supporting stealthy persistence and blending into legitimate cloud usage.

checkpoint research blogNews

Mar 9, 2026

9th March - Threat Intelligence Report - Check Point Research

Backdoor used for remote access and post-compromise control; used alongside tooling for command execution and screen capture.

ctoatncsc substackNews

Mar 7, 2026

CTO at NCSC Summary: week ending March 8th

A backdoor that uses Google Drive as a C2 channel to blend malicious communications into trusted cloud traffic.

scworldNews

Mar 5, 2026

New China-linked cyberespionage campaign exploits Windows, Google Drive | brief | SC Media

Backdoor used for cyberespionage, leveraging Google Drive as command-and-control (C2) infrastructure to blend in with trusted cloud traffic and reduce detection.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping27

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.