1. Forum
  2. Fidonet
  3. CONSPRCY

  • Chinese hackers hide malw

    From Mike Powell@1:2320/105 to All on Fri Mar 6 11:47:53 2026
    Chinese hackers hide malware within Windows and Google Drive to hit
    government targets

    Date:
    Thu, 05 Mar 2026 16:35:00 +0000

    Description:
    An APT41 spinoff is spying on targets across Europe and Asia using a blend of custom and legitimate tools.

    FULL STORY

    Chinese state-backed group Silver Dragon targets governments
    Attackers abuse Google Cloud and Windows services for stealth
    Custom backdoor GearDoor enables covert data exfiltration

    Chinese state-sponsored threat actors have
    been seen abusing legitimate Windows and Google Cloud services to hide their tracks as they spy on their targets across Southeast Asia and Europe.

    A new report by Check Point Research (CPR) reveals how a group dubbed Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary, and Italy - but also Japan, Myanmar, and Malaysia. Silver Dragon appears to be part of APT41, an infamous state-sponsored actor that engages mostly in cyber-espionage.

    Leveraging regular "noise" - The attacks usually start with a phishing email, impersonating official communications and sharing weaponized documents and links. Alternatively, the group would go for internet-exposed systems, compromising servers and pivoting deeper into internal networks to deploy additional tools.

    At the heart of the campaign is a custom backdoor called GearDoor which, instead of the usual shady server, uses Google Drive as its
    command-and-control (C2) infrastructure. Every infected machine creates a Google Cloud folder in a dedicated account, uploads periodic heartbeat data
    and retrieves operator commands disguised as regular files.

    All stolen intelligence is exfiltrated into that same location.

    Silver Dragon was also seen hijacking legitimate Windows services, stopping
    and recreating them to load malicious codes with trusted names. These include Windows Update, Bluetooth, and .NET Framework utilities.

    By blending into normal system activity, the attackers are able to persist
    for longer on a system, without being spotted by defenders. CPR says the
    tactic works extremely well in large environments where system services generate routine noise.

    The hackers also deploy a wide range of post-exploitation tools, such as SSHcmd, or Cobalt Strike. The former is a lightweight SSH utility that
    enables remote command execution and file transfer, while Cobalt Strike is a pentesting tool commonly abused by threat actors.

    Rather than relying solely on bespoke infrastructure, state-aligned actors increasingly embed themselves within legitimate enterprise systems and
    trusted cloud services . This reduces visibility for traditional perimeter defenses and extends dwell time inside targeted networks, CPR concluded.

    For executive leadership, the implication is clear: exposure is no longer limited to obvious malware or suspicious external connections. Risk now includes subtle abuse of legitimate services, cloud platforms, and core operating system components.

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chinese-hackers-hide-malware-within-win dows-and-google-drive-to-hit-government-targets

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)