From phishing to Google Drive C2: Silver Dragon expands APT41 playbook

The advanced persistent threat (APT) group identified as Silver Dragon, an entity closely linked to the China-backed APT41, has been observed actively targeting governmental organizations across Europe and Southeast Asia since mid-2024. Check Point researchers detailed the group's expanded operational playbook, which secures initial access through the exploitation of public-facing servers and sophisticated phishing campaigns distributing malicious attachments. For maintaining persistence within compromised networks, Silver Dragon hijacks legitimate Windows services. A significant evolution in their tactics involves the utilization of Cobalt Strike for extensive post-exploitation activities and, notably, Google Drive for command-and-control (C2) communications¹. This strategic shift in C2 infrastructure leverages widely trusted cloud services to camouflage malicious traffic within legitimate network activity, thereby complicating detection efforts. The adoption of a ubiquitous platform like Google Drive for C2 by a state-aligned actor fundamentally alters the established threat landscape, compelling practitioners to re-evaluate traditional network defense strategies and adapt to geopolitical adversaries exploiting common, legitimate platforms.