Skip to main content
Mallory
Back to malware
MalwareUsed by 3 actors

BamboLoader

BamboLoader is a heavily obfuscated Windows shellcode loader used by the China-nexus activity cluster “Silver Dragon,” which Check Point assesses as operating within the broader APT41 umbrella. It has been observed in intrusions targeting primarily government entities in Europe and Southeast Asia since at least mid-2024.

BamboLoader is described as an x64 C++ loader employing control-flow flattening and junk code. In observed service-DLL and phishing infection chains, it functions as an in-memory loader: it reads a staged shellcode payload from disk, decrypts it using RC4 with a hardcoded key, decompresses the result using the LZNT1 algorithm (via RtlDecompressBuffer), and injects the decrypted shellcode into a legitimate Windows process (commonly taskhost.exe/taskhostw.exe; injection target is configurable). The ultimate payload delivered in these chains is a Cobalt Strike beacon (noted as cracked in the reporting).

Delivery/persistence contexts described include: (1) a “service DLL” chain where a batch script delivers BamboLoader and registers it as a Windows service / abuses legitimate Windows services for persistence via registry manipulation and service recreation to load a malicious ServiceDll; and (2) a phishing campaign using weaponized LNK attachments (noted in one case as Uzbekistan-focused) where the LNK launches PowerShell to extract embedded payloads, then uses a legitimate executable (GameHook.exe) for DLL sideloading of BamboLoader (as graphics-hook-filter64.dll) while displaying a decoy document; the encrypted Cobalt Strike payload in this chain was named simhei.dat.

Additional artifacts/paths mentioned in association with the service-DLL chain include writing the loader DLL to C:\Windows\System32\wbem and placing encrypted payloads disguised with .fon or .ttf extensions under C:\Windows\Fonts. Legitimate Windows services reported as abused for persistence include wuausrv, bthsrv, COMSysAppSrv, DfSvc, and tzsync.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT41

A shellcode DLL loader we named BamboLoader... The loader reads the staged shellcode payload from disk, decrypts it using RC4 with a hardcoded key, and then decompresses the resulting data with the LZNT1 algorithm...

via checkpoint research blogresearch.checkpoint.com
APT17

"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"

via dark readingdarkreading.com
Silver Dragon

"...a phishing campaign with a malicious LNK file as an attachment, a tactic linked to Silver Dragon based on the use of similar loaders, which the researchers collectively call 'BamboLoader.'"

via dark readingdarkreading.com
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence2
TacticInitial Access

"Silver Dragon gains its initial access by exploiting public-facing internet servers..." ... "deployed following the compromise of publicly exposed vulnerable servers."

T1566.001Spearphishing AttachmentEvidence4
TacticInitial Access

“The third initial-access strategy is via a phishing campaign with a malicious LNK file as an attachment…”

Execution

6 techniques
T1059.001PowerShellEvidence2
TacticExecution

"...weaponized LNK file is designed to launch PowerShell code by means of 'cmd.exe'"

T1059.003Windows Command ShellEvidence1
TacticExecution

“Upon execution, the LNK file launches cmd.exe, which in turn invokes PowerShell.”

T1106Native APIEvidence1
TacticExecution

“…injected into a Windows process, such as taskhost.exe, which is created as a child process.”

T1204.002Malicious FileEvidence1
TacticExecution

"The attack chain rely on ... weaponized LNK attachments."

T1569.002Service ExecutionEvidence1
TacticExecution

“The batch script then deletes and recreates the legitimate DfSvc service to force a new execution of dfsvc.exe…” and “registers the BamboLoader to run as a Windows service…”

T1574.001DLLEvidence2
TacticsExecutionStealth

"The attack chain rely on ... malicious service DLL deployment"

Persistence

2 techniques
T1543.003Windows ServiceEvidence3
TacticsPersistencePrivilege Escalation

"It maintains persistence by hijacking legitimate Windows services" ... "hijack legitimate Windows services for persistence"

T1546.015Component Object Model HijackingEvidence1
TacticsPersistencePrivilege Escalation

“The script hijacks legitimate Windows services by… manipulating the registry… HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost … ServiceDll …”

Privilege Escalation

3 techniques
T1055Process InjectionEvidence3
TacticsPrivilege EscalationStealth

"...decrypt and inject payloads in memory" ... "including ... injected processes."

T1543.003Windows ServiceEvidence3
TacticsPersistencePrivilege Escalation

"It maintains persistence by hijacking legitimate Windows services" ... "hijack legitimate Windows services for persistence"

T1546.015Component Object Model HijackingEvidence1
TacticsPersistencePrivilege Escalation

“The script hijacks legitimate Windows services by… manipulating the registry… HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost … ServiceDll …”

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence2
TacticStealth

"The group leverages heavily obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory"

T1055Process InjectionEvidence3
TacticsPrivilege EscalationStealth

"...decrypt and inject payloads in memory" ... "including ... injected processes."

T1140Deobfuscate/Decode Files or InformationEvidence2
TacticStealth

"...obfuscated loaders such as MonikerLoader and BamboLoader to decrypt and inject payloads in memory"

T1218System Binary Proxy ExecutionEvidence1
TacticStealth

“GameHook.exe – Legitimate executable abused for DLL sideloading… legitimate binary is executed in the background to sideload the BamboLoader.”

T1574.001DLLEvidence2
TacticsExecutionStealth

"The attack chain rely on ... malicious service DLL deployment"

Collection

1 technique
T1560.001Archive via UtilityEvidence1
TacticCollection

"...delivered via compressed archives..." ... "RAR archive containing a batch script" ... "*.rar ... *.7z"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
security affairsNews
Mar 4, 2026
From phishing to Google Drive C2: Silver Dragon expands APT41 playbook

Heavily obfuscated loader used for in-memory decryption/injection and delivery of the final Cobalt Strike beacon payload.

Read more
the hacker newsNews
Mar 4, 2026
APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2

Heavily obfuscated C++ shellcode DLL loader used to decrypt/decompress staged shellcode and inject it into a legitimate Windows process (e.g., taskhost.exe); also delivered via DLL sideloading in a phishing chain to ultimately launch Cobalt Strike.

Read more
dark readingNews
Mar 4, 2026
China's Silver Dragon Razes Governments in EU, SE Asia

A loader used in Silver Dragon phishing campaigns (notably via weaponized LNK attachments) to establish initial execution and facilitate delivery of follow-on tooling/payloads.

Read more
checkpoint research blogNews
Mar 3, 2026
Silver Dragon Targets Organizations in Southeast Asia and Europe - Check Point Research

An obfuscated x64 C++ shellcode loader that establishes service-based persistence by hijacking legitimate Windows services, decrypts staged payloads (RC4) and decompresses them (LZNT1 via RtlDecompressBuffer), then injects the resulting shellcode into a spawned process (e.g., taskhostw.exe). Observed final payloads are Cobalt Strike beacons.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.