Chinese state-sponsored threat actors have recently been observed leveraging legitimate Windows and Google Cloud services to mask their activities while conducting espionage operations across Southeast Asia and Europe. A report from Check Point Research (CPR) highlights the operations of a group known as Silver Dragon, which has been active since at least mid-2024. This group has primarily targeted government entities in various European nations, including Russia, Poland, Hungary, and Italy, as well as countries like Japan, Myanmar, and Malaysia.
Silver Dragon is believed to be affiliated with APT41, a notorious state-sponsored actor recognized for its focus on cyber-espionage.
Leveraging regular “noise”
The modus operandi of Silver Dragon typically begins with phishing emails that impersonate official communications, often containing weaponized documents or links. In some instances, the group targets internet-exposed systems, compromising servers and infiltrating deeper into internal networks to deploy additional tools.
Central to their campaign is a custom backdoor known as GearDoor. This backdoor distinguishes itself by utilizing Google Drive as its command-and-control (C2) infrastructure, rather than relying on traditional shady servers. Each infected machine generates a Google Cloud folder within a dedicated account, which uploads periodic heartbeat data and retrieves operator commands disguised as ordinary files. All stolen intelligence is exfiltrated to this same location.
Moreover, Silver Dragon has been observed hijacking legitimate Windows services, stopping and recreating them to load malicious code under trusted names. Services such as Windows Update, Bluetooth, and .NET Framework utilities have been exploited in this manner. By blending their activities with normal system operations, the attackers can maintain a prolonged presence on a system without detection. CPR notes that this tactic is particularly effective in large environments where routine system services generate substantial noise.
The hackers also employ a variety of post-exploitation tools, including SSHcmd and Cobalt Strike. SSHcmd is a lightweight SSH utility that facilitates remote command execution and file transfers, while Cobalt Strike is a penetration testing tool frequently misused by threat actors.
CPR emphasizes that state-aligned actors are increasingly embedding themselves within legitimate enterprise systems and trusted cloud services, which diminishes visibility for traditional perimeter defenses and extends their dwell time within targeted networks. The implications for executive leadership are significant: exposure to risk is no longer confined to overt malware or suspicious external connections. Instead, the threat landscape now encompasses the subtle abuse of legitimate services, cloud platforms, and core operating system components.
