GearDoor
GearDoor is a custom .NET backdoor used in intrusions attributed to the China-nexus activity cluster “Silver Dragon,” assessed by Check Point to operate under the broader APT41 umbrella. It has been observed in cyberespionage-focused campaigns targeting government and public-sector/high-profile organizations in Europe and Southeast Asia since at least mid-2024.
GearDoor’s defining feature is its use of Google Drive as a file-based command-and-control (C2) channel, leveraging trusted cloud traffic to reduce detection. Operators use a dedicated Google Drive account/folders for tasking and exfiltration; the malware creates a per-victim Google Drive folder named as a SHA-256 hash of the machine hostname. It exchanges commands and results via uploads/downloads where specific file extensions encode task types (e.g., .cab for command execution, .pdf for directory tasks, .rar for dropping payloads/self-update, .7z for in-memory .NET plugin execution). GearDoor deletes input files after processing and uploads a .bak result file to confirm completion. It also uploads a heartbeat file with a .png extension containing basic host metadata (hostname, username, IP address, OS version).
Communications/configuration are encrypted using DES; the DES key is derived from the first 8 characters of an MD5 hash of a hardcoded string. Reporting notes changes in GearDoor’s command set across versions, consistent with ongoing development/testing.
GearDoor is described as being deployed alongside other Silver Dragon post-exploitation tooling, including SilverScreen (covert screenshot capture) and SSHcmd (SSH-based remote command execution and file transfer), and in operations that also involve phishing and exploitation of public-facing servers, with Cobalt Strike used elsewhere in the intrusion chains.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control after phishing and server exploitation.
Recent operations used the GearDoor backdoor with SSHcmd and SilverScreen, enabling remote access, covert screen capture, and stealthy control after phishing and server exploitation.
"...Silver Dragon deployed GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel..."
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques“Silver Dragon gains its initial access by exploiting public-facing internet servers…”
"using phishing emails... to infiltrate government networks" and "gains initial access... sending phishing emails with malicious attachments."
“...and by delivering phishing emails that contain malicious attachments.”
Execution
6 techniques"LNK files that triggered PowerShell commands, dropping additional malware components".
"...launch PowerShell code by means of 'cmd.exe'" ... "run commands via 'cmd.exe' or scheduled tasks"
"attackers sent LNK files that triggered PowerShell commands".
Persistence
1 techniquePrivilege Escalation
2 techniquesStealth
5 techniques“strings are entirely obfuscated using a Brainfuck-based string decryption routine… control flow flattening and inserting junk code…”
GearDoor command list includes “steal_token <pid> Impersonates the security token…” and SilverScreen “relaunches itself… using token impersonation.”
"malicious Windows shortcut files and DLL-based persistence techniques" and "load malicious DLLs".
“To maintain persistence, the group hijacks legitimate Windows services…”
Discovery
5 techniquesGearDoor supported commands include “ipconfig”, “netstat”, “ps” and directory listing operations.
GearDoor command list includes “netstat”.
GearDoor command list includes “ps None Lists running processes on the system.”
"uploads a heartbeat file... containing the machine’s hostname, username, IP address, and OS version"
Collection
1 technique"...delivered via compressed archives..." ... "RAR archive containing a batch script" ... "*.rar ... *.7z"
Command and Control
6 techniques"GearDoor, a backdoor that communicates with command-and-control infrastructure through Google Drive."
“...GearDoor, a new backdoor which leverages Google Drive as its command-and-control (C2) channel…”
"...leveraged a dedicated Google Drive account as command-and-control infrastructure for its GearDoor backdoor..."
"...uses ... Google Drive-based command-and-control" ... "GearDoor, a .NET backdoor, uses Google Drive as a command-and-control channel"
"a .rar file drops new payloads or triggers a self-update" and "a .7z file runs an in-memory .NET plugin"
"All data exchanged through Google Drive is encrypted using the DES algorithm"
Exfiltration
1 technique“GearDoor… exfiltrating information via Google Drive… the download command exfiltrates files from the infected host to Google Drive.”
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor used for remote access and post-compromise control; used alongside tooling for command execution and screen capture.
A backdoor that uses Google Drive as a C2 channel to blend malicious communications into trusted cloud traffic.
Backdoor used for cyberespionage, leveraging Google Drive as command-and-control (C2) infrastructure to blend in with trusted cloud traffic and reduce detection.
A backdoor used for persistent access and command-and-control, notable for using Google Drive as a C2 channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.