MalwareUsed by 3 actors

SilverScreen

SilverScreen is a custom post-exploitation surveillance tool used in intrusions attributed to the China-linked threat operation “Silver Dragon” (assessed to operate under the APT41 umbrella). It is described as a .NET screen-monitoring utility that covertly captures periodic screenshots of user activity across all connected displays, including precise cursor positioning. Reported behavior includes silently capturing screenshots at regular intervals, using change-detection to limit disk usage, compressing the captured images, and storing them locally for later exfiltration. SilverScreen has been observed deployed alongside other Silver Dragon tooling such as the GearDoor .NET backdoor (which uses Google Drive for file-based C2) and SSHcmd (an SSH-based remote command execution/file transfer utility), as part of broader cyberespionage campaigns targeting government and public sector organizations in Southeast Asia and Europe. No specific file hashes, domains, or other direct IoCs for SilverScreen itself are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT41

Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...

via checkpoint research blogresearch.checkpoint.com

Silver Dragon

Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control...

via checkpoint research blogresearch.checkpoint.com

APT17

Other tools, including the screenshot-capturing SilverScreen... have also been harnessed by the hacking group.

via scworldscworld.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1190Exploit Public-Facing ApplicationEvidence1

TacticInitial Access

"the group breaks into networks by exploiting public-facing internet servers"

T1566PhishingEvidence1

TacticInitial Access

"using phishing emails... to infiltrate government networks" and "gains initial access... sending phishing emails with malicious attachments."

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

"using phishing emails, malicious Windows shortcut files... In one phishing campaign, attackers sent LNK files that triggered PowerShell commands".

Execution

3 techniques

T1059.001PowerShellEvidence1

TacticExecution

"LNK files that triggered PowerShell commands, dropping additional malware components".

T1204.002Malicious FileEvidence1

TacticExecution

"attackers sent LNK files that triggered PowerShell commands".

T1574.014AppDomainManagerEvidence1

TacticsExecution Stealth

“This chain, deployed by abusing AppDomain Hijacking (T1574.014)… dfsvc.exe.config file overwrites the AppDomain entry point, redirecting execution to MonikerLoader.”

Privilege Escalation

1 technique

T1134Access Token ManipulationEvidence1

TacticsPrivilege Escalation Stealth

GearDoor command list includes “steal_token <pid> Impersonates the security token…” and SilverScreen “relaunches itself… using token impersonation.”

Stealth

2 techniques

T1134Access Token ManipulationEvidence1

TacticsPrivilege Escalation Stealth

GearDoor command list includes “steal_token <pid> Impersonates the security token…” and SilverScreen “relaunches itself… using token impersonation.”

T1574.014AppDomainManagerEvidence1

TacticsExecution Stealth

“This chain, deployed by abusing AppDomain Hijacking (T1574.014)… dfsvc.exe.config file overwrites the AppDomain entry point, redirecting execution to MonikerLoader.”

Collection

2 techniques

T1074Data StagedEvidence1

TacticCollection

"...compresses them, and stores them for later exfiltration."

T1113Screen CaptureEvidence8

TacticCollection

“...SilverScreen, enabling... covert screen capture...”

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

checkpoint research blogNews

Mar 9, 2026

9th March - Threat Intelligence Report - Check Point Research

Tool used for covert screen capture and interactive control as part of post-exploitation activity.

scworldNews

Mar 5, 2026

New China-linked cyberespionage campaign exploits Windows, Google Drive | brief | SC Media

Tool used to capture screenshots from compromised systems, supporting espionage and collection objectives.

govinfosecurityNews

Mar 5, 2026

Breach Roundup: Patches and Hacks on Cisco Equipment

A custom post-exploitation utility used for screen capture on compromised systems.

bank info securityNews

Mar 5, 2026

Breach Roundup: Patches and Hacks on Cisco Equipment

Post-exploitation utility used for screen capture on compromised systems.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.