Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

SSHcmd

SSHcmd is a custom post-exploitation tool used in campaigns attributed to the China-linked threat cluster “Silver Dragon,” assessed by Check Point as operating under the broader APT41 umbrella. It is described as a .NET-based command-line utility that acts as a wrapper for SSH (noted to use the Renci.SshNet library) to facilitate remote access and operator control.

Capabilities explicitly described include remote command execution over SSH, file transfer (upload/download) over SSH, and support for interactive TTY sessions; it can also handle Base64-encoded commands. Reporting characterizes SSHcmd as supporting remote access and lateral movement in compromised environments.

In the referenced Silver Dragon intrusions (targeting government and public-sector/high-profile organizations in Southeast Asia and Europe since at least mid-2024), SSHcmd appears as part of a broader toolset alongside the GearDoor backdoor (Google Drive–based C2) and SilverScreen (screenshot capture), and is deployed after initial access obtained via exploitation of public-facing servers and/or phishing with malicious attachments.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT41

Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...

via checkpoint research blogresearch.checkpoint.com
Silver Dragon

Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...

via checkpoint research blogresearch.checkpoint.com
APT17

"...deployed two additional custom tools: SSHcmd, a command-line utility that functions as a wrapper for SSH to facilitate remote access..."

via ctoatncsc substackctoatncsc.substack.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"the group breaks into networks by exploiting public-facing internet servers"

T1566PhishingEvidence1
TacticInitial Access

"using phishing emails... to infiltrate government networks" and "gains initial access... sending phishing emails with malicious attachments."

T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

"using phishing emails, malicious Windows shortcut files... In one phishing campaign, attackers sent LNK files that triggered PowerShell commands".

Execution

2 techniques
T1059.001PowerShellEvidence1
TacticExecution

"LNK files that triggered PowerShell commands, dropping additional malware components".

T1204.002Malicious FileEvidence1
TacticExecution

"attackers sent LNK files that triggered PowerShell commands".

Lateral Movement

1 technique
T1021.004SSHEvidence7
TacticLateral Movement

“...deployed… SSHcmd… a wrapper for SSH to facilitate remote access…”

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
checkpoint research blogNews
Mar 9, 2026
9th March - Threat Intelligence Report - Check Point Research

Tool used in conjunction with a backdoor to facilitate remote access/control over compromised systems.

Read more
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

A custom SSH wrapper utility used to facilitate remote access in the Silver Dragon intrusion set.

Read more
scworldNews
Mar 5, 2026
New China-linked cyberespionage campaign exploits Windows, Google Drive | brief | SC Media

Remote command execution utility used to run commands on victim systems, enabling operator control and post-compromise activity.

Read more
govinfosecurityNews
Mar 5, 2026
Breach Roundup: Patches and Hacks on Cisco Equipment

A custom post-exploitation tool used to execute commands remotely (as described, via SSH-style remote command execution).

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.