State-linked hackers have stopped brandishing noisy exploits, they slip quietly into operating systems and office suites, turning scheduled maintenance tasks into covert relays for command traffic that blends with routine administrative noise.
Malicious implants now pose as Windows telemetry jobs, Bluetooth services or harmless cloud sync, leaving intrusion-detection dashboards strangely calm. For defenders tracking state-backed intrusion tactics, each bland Google Drive upload or process relaunch might conceal trusted platform abuse, quiet government network reconnaissance sweeps and staging for deeper lateral movement across supposedly well-segmented environments during most routine security audits.
Silver dragon and the suspected apt41 link behind a quiet spying campaign
Check Point Research disclosed the Silver Dragon cyber-espionage campaign in 2024, describing a quiet but persistent operation aimed at ministries and public agencies. Analysts portray an operator tied to Beijing, a china-linked threat actor that focuses on data theft rather than disruption.
Plausible ties to APT41 arise from tooling overlaps, tasking patterns and other attribution confidence signals seen across incidents in the last few years. Check Point highlights Southeast Asia targets where the group maintains long-dwell espionage activity, preserving covert access to government networks for months.
Two entry points, one objective : exploiting public servers and phishing government inboxes
Attackers behind Silver Dragon rely on a blend of technical flaws and human behaviour to secure their first foothold inside public institutions. Their operators then turn to exposed server exploitation, abusing vulnerable web portals and application servers that political offices leave reachable from the internet.
Alongside these system breaches, targeted spear phishing emails are crafted to match diplomatic exchanges and budget discussions. Such tailored lures act as initial access vectors in ministries that rely on highly email-dependent infrastructure, where a single opened attachment can install loaders on multiple government workstations.
When trusted windows services become a hiding place for persistence
Control of a government machine only marks the beginning of Silver Dragon’s presence on a network. The operators reshuffle legitimate components through windows service hijacking, replacing paths and configurations so that familiar processes quietly point toward their own malicious loaders.
Adjusted services can include Bluetooth helpers, COM+ components and even update utilities, enabling repeated wuauserv abuse during system maintenance. Some hosts show traces of ClickOnce DfSvc loading, turning application deployment features into a stealthy persistence mechanism that survives reboots while blending with normal Windows management traffic.
Geardoor’s file-based c2 on google drive and why it blends into normal cloud traffic
GearDoor, the backdoor linked to Silver Dragon, avoids bespoke command servers that raise suspicion on perimeter logs. Its operators instead lean on a file-based command channel, driving instructions and results through ordinary uploads and downloads to Google’s cloud services.
For each victim, the malware creates dedicated Google Drive C2 folders where operators drop encrypted task files disguised as benign content. Corporate networks that rely on broad SaaS traffic allowlisting rarely flag this activity, since the traffic profile looks like everyday collaboration between civil servants and external partners.
From screen capture to cobalt strike : what the post-compromise toolkit looks like
Surveillance inside compromised ministries goes beyond keylogging or bulk document theft. Operators deploy a module that performs change-triggered screenshots, capturing the desktop only when windows or content change, which limits bandwidth use while preserving a detailed view of what staff handle on screen.
This approach forms part of low-noise user monitoring paired with post-exploitation frameworks. On several networks, investigators observed Cobalt Strike beacons configured for DNS and HTTP tunneling, granting operators flexibility to move laterally, exfiltrate archives and maintain a responsive foothold despite segmentation policies.
