A cyber espionage campaign linked to the China-nexus hackers, tracked as Silver Dragon, has been uncovered, hiding inside legitimate Windows services and using Google Drive as a covert communications channel.

Researchers at Check Point say the campaign targets government ministries and public sector organizations and is designed for long-term intelligence gathering rather than disruptive cyberattacks.

Based on multiple indicators, Check Point’s threat intelligence team assesses with “high confidence” that the activity is linked to a China-aligned cyber espionage actor operating within the wider ecosystem associated with APT41.

APT41 is a widely-tracked hacking group believed to operate on behalf of Chinese state interests while also carrying out financially motivated crimes.

Researchers say the attackers combine several techniques – including server exploitation, phishing emails and custom malware – to covertly establish access to networks and maintain it for extended periods.

A key feature of the campaign is the way the malware hides in plain sight. Instead of creating suspicious services that may trigger alerts, the attackers hijack legitimate Windows services.

They stop and recreate existing services linked to Windows Update, Bluetooth components and .NET utilities, then load malicious code under those trusted brand names.

As the report notes, this aspect also makes it harder for security teams to detect:

“This tactic allows the malware to blend into normal system activity. Because the service names appear legitimate, detection becomes more challenging, particularly in large environments where system services generate routine noise.”

Check Point Research

Custom backdoor uses Google Drive

The operation also relies on a custom backdoor called GearDoor, which uses Google Drive as its command-and-control channel.

Instead of communicating with suspicious infrastructure, infected machines exchange files with a dedicated Google Drive account.

Each compromised system creates its own folder in the cloud storage account and uploads periodic “heartbeat” data which is sent by the infected computer to the hacker to show that the system is still active and under their control.

Compromised systems can also retrieve instructions disguised as ordinary files. After carrying out tasks, the results are uploaded back to the same location.

Using a trusted cloud platform in this way allows the attackers’ communications to blend into normal enterprise traffic, reducing the chance of detection.

Silver Dragon also deploys its own tools to maintain access and monitor systems including:

• SilverScreen: which captures screenshots of active user sessions
• SSHcmd: which allows operators to run commands remotely and move files between systems

Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, said the campaign highlights a growing trend in cyber espionage.

“Silver Dragon utilizes different initial access vectors, hiding inside trusted Windows services and widely used platforms like Google Drive," he said.

“This research shows that security can no longer treat cloud traffic and core operating system components as inherently safe," he added.

---

Unlock more exclusive Cybernews content on YouTube.