7 malware families

Silver Dragon

Also known assilver_dragon

Silver Dragon is a Chinese-aligned cyberespionage activity cluster assessed by Check Point Research to be operating under the broader APT41 umbrella, active since at least mid-2024. The group has targeted organizations across Southeast Asia and Europe, with a particular focus on government and public-sector/high-profile entities. Initial access has been observed via exploitation of public-facing internet servers and via phishing emails with malicious attachments (including weaponized LNK files, with documented targeting of government entities in Uzbekistan). Across multiple observed intrusion chains, Silver Dragon rapidly deploys Cobalt Strike beacons (noted as cracked variants with multiple watermark values) and uses multiple C2 methods including DNS tunneling, HTTP (often behind Cloudflare), and SMB for intra-network communications. Check Point described three primary infection chains that culminate in Cobalt Strike delivery: (1) AppDomain hijacking (e.g., abusing dfsvc.exe and also tzsync.exe) using .NET loaders such as MonikerLoader (with Brainfuck-based string decryption and in-memory reflective loading of a second-stage loader); (2) service DLL hijacking/persistence by impersonating and hijacking legitimate Windows services via registry/service manipulation (abusing services including wuausrv, bthsrv, COMSysAppSrv, DfSvc, and tzsync) and deploying a heavily obfuscated C++ shellcode loader dubbed BamboLoader (RC4 decryption, LZNT1 decompression via RtlDecompressBuffer, and injection into processes such as taskhost.exe/taskhostw.exe); and (3) LNK-based phishing that uses PowerShell extraction and DLL sideloading (e.g., via a legitimate executable GameHook.exe) to load BamboLoader and an encrypted Cobalt Strike payload while presenting a decoy document. Post-compromise tooling attributed to Silver Dragon includes GearDoor (a .NET backdoor using Google Drive as a file-based C2 channel, with per-victim folders and tasking/results exchanged via files whose extensions encode actions; communications encrypted with DES using a key derived from an MD5-based scheme), SilverScreen (periodic screenshot capture with change detection and compression), and SSHcmd (a .NET SSH utility leveraging Renci.SshNet for remote command execution and file transfer). Reporting also notes Silver Dragon’s tradecraft overlaps with APT41 (including similarities to installation scripts previously documented by Mandiant) and compilation timestamps aligning with UTC+8 as supporting evidence for the China nexus.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Commercial & Professional Services

MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics60 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1190×5

Exploit Public-Facing Application

T1566

Phishing

T1566.001×7

Spearphishing Attachment

TA0002

Execution

5 techniques

T1053

Scheduled Task/Job

T1059

Command and Scripting Interpreter

T1059.001×4

PowerShell

T1059.003×3

Windows Command Shell

T1106

Native API

T1204

User Execution

T1204.002×3

Malicious File

T1574

Hijack Execution Flow

T1574.001×4

DLL

T1574.011

Services Registry Permissions Weakness

T1574.014

AppDomainManager

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1543

Create or Modify System Process

T1543.003×6

Windows Service

TA0004

Privilege Escalation

4 techniques

T1053

Scheduled Task/Job

T1055×3

Process Injection

T1055.001

Dynamic-link Library Injection

T1134

Access Token Manipulation

T1543

Create or Modify System Process

T1543.003×6

Windows Service

TA0005

Stealth

8 techniques

T1027×2

Obfuscated Files or Information

T1036

Masquerading

T1055×3

Process Injection

T1055.001

Dynamic-link Library Injection

T1134

Access Token Manipulation

T1140×2

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1574

Hijack Execution Flow

T1574.001×4

DLL

T1574.011

Services Registry Permissions Weakness

T1574.014

AppDomainManager

T1620×3

Reflective Code Loading

TA0007

Discovery

5 techniques

T1018

Remote System Discovery

T1049

System Network Connections Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.002

SMB/Windows Admin Shares

T1021.004×7

SSH

TA0009

Collection

3 techniques

T1074

Data Staged

T1113×9

Screen Capture

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001×4

Web Protocols

T1071.002

File Transfer Protocols

T1071.003

Mail Protocols

T1071.004×4

DNS

T1102×3

Web Service

T1102.002×3

Bidirectional Communication

T1102.003

One-Way Communication

T1105×2

Ingress Tool Transfer

T1219

Remote Access Tools

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

T1567.002×2

Exfiltration to Cloud Storage

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

GearDoorRecent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control after phishing and server exploitation.10Mar 9, 2026

SSHcmdRecent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...10Mar 9, 2026

SilverScreenRecent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...8Mar 9, 2026

Cobalt StrikeResearchers at Check Point said the group has been active since mid-2024... deploy Cobalt Strike beacons for remote access.7Mar 6, 2026

BamboLoader"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"4Mar 4, 2026

2 additional families tracked in Mallory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

checkpoint research blogNews

Mar 9, 2026

9th March - Threat Intelligence Report - Check Point Research

Chinese-aligned group linked to APT41 targeting government and enterprise networks in Southeast Asia and Europe; uses GearDoor backdoor with SSHcmd and SilverScreen for remote access, covert screen capture, and stealthy control following phishing and server exploitation.

dark readingNews

Mar 9, 2026

Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

APT41-linked spinoff activity cluster reported by Check Point as conducting a lengthy campaign targeting Asia; specific tooling and TTPs not described in this content.

security affairsNews

Mar 8, 2026

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 87

Activity cluster reported targeting organizations in Southeast Asia and Europe.

security affairsNews

Mar 8, 2026

Security Affairs newsletter Round 566 by Pierluigi Paganini - INTERNATIONAL EDITION

Campaign activity described as evolving from phishing to using Google Drive as command-and-control, and framed as leveraging an APT41-style playbook; also noted targeting organizations in Southeast Asia and Europe.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.