Silver Dragon the sophisticated APT41 attacker that infiltrates Europe and Southeast Asia with memory loads and DNS tunnels

In recent months, security researchers have revealed the activity of a persistent and sophisticated actor operating under the nickname of Silver Dragon. This group has been related to intrusions directed in Europe and South-East Asia since mid-2024 and shows techniques and tools that place it within the tactical umbrella known as APT41, a collective historically linked to cyber-espionage campaigns and sometimes to operations with financial motivation. To further the technical analysis, Check Point published a detailed report documenting these operations and the infection chains used by the group: Check Point report.

The entry path used by Silver Dragon combines the use of exposed servers on the Internet with phishing campaigns with malicious attachments. Once inside, attackers seek to mix with the system's legitimate activity: they kidnap Windows services and use payloads that are run in memory to avoid leaving traces on disk. This ability to hide processes and persist in compromised environments is a seal of advanced and well-funded operations and explains why early detection is so complex.

Recurrent tools in intrusions include Cobalt Strike, a post-exploitation framework known for its flexibility and being used by both researchers and malicious actors. Silver Dragon uses Cobalt Strike beacons to maintain control over infected equipment and combines this capacity with less conventional communication methods, such as the DNS tunnel, which allows sending and receiving commands avoiding stricter network controls.

The research team identified three main infection chains. Two of them start from compressed files containing batch scripts and loads in several stages; one of these routes shows the use of a .NET charger to which they call MonikerLoader, responsible for uncompressing and running a second stage directly in memory. In the other one, a charger called BamboLoader - a strongly opused C + + binary that is recorded as Windows service - disfigures and decompresses shellcode that then injects into legitimate processes such as taskhost.ex. Both routes show operational overlaps and suggest a reusable infrastructure designed for evasion and versatility.

The third track is a focused phishing campaign, with a higher incidence reported in Uzbekistan, which uses direct access to Windows (LNK files) as a decoy. These shortcuts activate commands that run PowerShell code, triggering the extraction and execution of multiple files: a decoy document to distract the user, a legitimate executable vulnerable to sideloading (GameHook.exe), the malicious DLL that acts as BamboLoader and an encrypted file that contains Cobalt Strike payload. In practice, when the decoy is opened the user does not perceive abnormal activity while, in the background, the malicious tool is loaded and executed.

Silver Dragon operators do not stay alone in the initial access: they deploy a battery of utilities to move laterally, collect information and maintain persistence. These include screen monitoring tools (.NET) to capture periodic catches and cursor position, SSH utilities for remote execution and file transfer, and a backdoor that interacts with Google Drive as a command and control channel. This backdoor raises "beats" with basic computer information and uses file extensions as signboards for different types of tasks, sending results in formats that facilitate synchronization with the cloud attacker server.

The attribution to APT41 is not based only on the geopolitics visible to the victims; it emerges from coincidences in the mode of operation, post-exploitation installation scripts already observed in previous campaigns and cryptographic mechanisms in loaders that have been previously associated with related activity in China. Google Cloud has also documented APT41 intrusions and its use of multiple exploits in global campaigns, which helps contextualize the persistence and adaptability of this actor: Google Cloud analysis. To better understand the organization and tactics attributed to groups such as APT41, the MITRE repository provides useful references to its classification and techniques: MITRE APT41 and on specific techniques like AppDomain hijacking: AppDomain hijacking (MITRE).

What practical implications does this landscape have for organizations and security officials? First, it must be recognized that combined vectors - exposure of services on the Internet and speed-phishing - require a strategy that is both preventive and detection-based. The patching and reduction of the attack surface on exposed servers remain basic but critical measures, while filter and sandboxing solutions for attachments and behavior monitoring can intercept many chains before they end up in memory loads. In addition, the detection of patterns such as DLL sideloading, injection into legitimate processes and abnormal DNS traffic should be part of the monitoring and response rules.

Finally, the case of Silver Dragon recalls that persistent threats are constantly updated: they test new techniques, combine infrastructure and reuse components with slight variations to avoid static signatures. The security community shares intelligence and tools to mitigate these risks, so being informed through public analysis and notices from suppliers and agencies is essential. Reports such as the Check Point and technical publications of reputed platforms allow defence teams to adapt rules, commitment indicators and response playbooks with fresh and corroborated information.

If you want to deepen this type of campaign and the recommended defenses, the technical reports and knowledge bases of suppliers and organizations such as Check Point, Google Cloud and MITRE are a good starting point: Check Point, Google Cloud and MITRE ATT & CK.