Silver Dragon Uses Google Drive as C2 in Government Attacks

Check Point Research has published a technical analysis of Silver Dragon, a Chinese-nexus threat group targeting government organizations across Southeast Asia and Europe. The campaign, active since mid-2024, deploys custom backdoors including GearDoor—a .NET implant that uses Google Drive for command-and-control communications.

Silver Dragon shares significant tradecraft overlap with APT41, the dual-purpose espionage and financial crime group attributed to China's state security apparatus. The connection manifests through identical installation scripts previously documented by Mandiant in APT41 operations.

The Google Drive C2 Channel

GearDoor's C2 mechanism abuses Google Drive's legitimate file-sharing functionality. Each infected machine gets a unique folder in the threat actor's Drive account, named using the SHA-256 hash of the victim's hostname. Communication happens through file drops:

• .cab files deliver commands to execute
• .pdf files handle directory listing requests
• .rar files drop new payloads or trigger self-updates
• .7z files execute in-memory .NET plugins

Because Google Drive traffic blends with normal business activity, network monitoring tools rarely flag these connections. The service's TLS encryption prevents content inspection without SSL interception, and Drive's global CDN infrastructure makes IP-based blocking impractical.

Attack Infrastructure

Silver Dragon gains initial access through two vectors: exploiting public-facing servers and delivering phishing emails with malicious LNK attachments. The LNK files exceed 1MB—unusually large due to embedded payloads—which should trigger suspicion in organizations monitoring attachment sizes.

Persistence mechanisms include:

• AppDomain hijacking via dfsvc.exe.config manipulation
• Windows service DLL registration abuse (targeting bthsrv, wuausrv, COMSysAppSrv)
• Service stop/restart sequences forcing legitimate binaries to load malicious libraries

Primary tools deployed:

• BamboLoader: Heavily obfuscated x64 C++ shellcode loader using RC4 + LZNT1 decryption chains
• GearDoor: .NET backdoor with Google Drive C2
• MonikerLoader: .NET loader with Brainfuck string obfuscation
• Cobalt Strike: Cracked beacons with DNS tunneling and HTTP C2

C2 Infrastructure

Check Point documented numerous attacker domains designed to impersonate legitimate services:

zhydromet[.]com, ampolice[.]org, onedriveconsole[.]com, copilot-cloud[.]net, wikipedla[.]blog, splunkds[.]com

The typosquatting follows standard Chinese APT tradecraft—domains close enough to real services to pass casual inspection, hosted behind Cloudflare for DDoS protection and IP masking.

Attribution Confidence

The APT41 link rests on multiple indicators beyond installation script overlap. Compilation timestamps across BamboLoader samples cluster around UTC+8 timezone working hours. Archive creation times match across payloads, suggesting automated build pipelines. And the overall targeting pattern—government entities, telecommunications, high-value commercial targets—aligns with APT41's historical victimology.

This attribution matters because APT41 operates under China's Ministry of State Security with documented connections to Chengdu-based contractors. Organizations on Silver Dragon's target list face a well-resourced adversary with state backing, not opportunistic criminals. The conviction of Linwei Ding for stealing Google AI trade secrets on behalf of Chinese companies underscores the ongoing industrial espionage threat.

Detection Guidance

Check Point recommends monitoring for:

• Large LNK files (1MB+) in email attachments
• Google Drive authentication from unexpected processes
• Service hijacking patterns (stop → modify → restart sequences)
• .config files appearing in .NET Framework directories
• DNS tunneling traffic from workstations
• Multi-stage .NET loader execution chains

The Dust Specter campaign we covered recently showed similar cloud service abuse for C2, highlighting a broader shift toward hiding malicious traffic in legitimate platforms. Security teams should treat cloud service authentication from non-browser processes as a detection opportunity.

Why This Matters

Silver Dragon demonstrates the maturation of Chinese cyber espionage tradecraft. Google Drive C2 represents an evolution from dedicated infrastructure that defenders can blocklist. Service hijacking for persistence shows sophistication beyond simple scheduled task or registry run key methods. And the multi-tool approach—different loaders, different backdoors, different C2 channels—provides operational resilience against partial detection.

For organizations in Silver Dragon's target regions, the threat demands proactive hunting rather than passive alert monitoring. Check the published IOCs against historical logs. Audit service configurations for unauthorized modifications. And assume that Chinese-nexus APTs have already attempted access—the question is whether they succeeded.