China-linked hackers exploit servers to breach government networks

Researchers say the China-linked group is blending server exploits, phishing, and cloud services to maintain covert access to government networks.

What happened

Researchers identified a threat group known as Silver Dragon, linked to the China-aligned advanced persistent threat group APT41, conducting targeted intrusions against government entities in Southeast Asia and parts of Europe. According to Security Affairs, the campaign has been active since at least mid-2024 and begins with attackers exploiting vulnerable public-facing servers or sending phishing emails with malicious attachments. After gaining access, the attackers deploy heavily obfuscated loaders, such as MonikerLoader and BamboLoader, which are small programs that unpack and run hidden malware directly in system memory while blending into legitimate Windows processes. The intrusion chain eventually delivers Cobalt Strike beacons, a legitimate security testing tool that attackers frequently misuse to execute commands and maintain remote control inside compromised networks.

Going deeper

The Silver Dragon campaign uses multiple techniques to maintain access to compromised systems while avoiding detection. Researchers observed attackers hijacking legitimate Windows services by loading malicious dynamic link libraries (DLLs), which are shared program files used by Windows applications, and by using AppDomain hijacking, a technique that redirects an application’s normal code-loading process to run malicious code instead. The attackers distribute their malware via weaponized shortcut files (LNK attachments), which execute hidden scripts when opened. Once inside a system, the campaign deploys additional tools, including SilverScreen, which secretly captures screenshots for later data theft, SSHcmd, which enables remote command execution and file transfers, and GearDoor, a . NET-based backdoor that communicates with attackers through files stored on Google Drive, using the platform as a command and control channel while encrypting instructions and stolen data.

What was said

Check Point researchers noted in their technical report that the attack infrastructure appears to rely on automated tooling to generate customized payloads for each intrusion attempt. In the report cited by Security Affairs on March 4, 2026, the researchers wrote, “All files contained within the initial archive shared an identical creation timestamp, which strongly suggests the use of an automated payload generation framework.” The same analysis noted that investigators recovered log files documenting configuration parameters, including service names, encryption keys, and injected processes, indicating a structured framework for preparing tailored attack packages.

In the know

Google researchers have linked operational patterns, including modular malware loaders, the use of Cobalt Strike beacons, and attacks on internet-facing systems, to groups associated with the APT41 ecosystem. Analysts have previously described the group as carrying out both espionage and financially motivated attacks, often targeting government agencies, telecommunications providers, and technology companies across Asia and Europe. The combination of phishing emails, software vulnerabilities, and cloud-hosted command infrastructure observed in the Silver Dragon campaign mirrors tactics commonly used in long-running state-aligned cyber operations.

The big picture

An advisory from U.S. Department of Health and Human Services warns that Russian state-sponsored threat actors have been targeting the Healthcare and Public Health (HPH) sector. The alert states that attackers have used tactics such as credential harvesting (theft of login credentials), spearphishing emails targeting specific staff members, and exploiting vulnerable, internet-facing systems to gain access to healthcare networks. Federal officials say these activities form part of broader intelligence gathering and disruptive cyber operations, and they urge healthcare organizations to strengthen phishing protections, patch exposed systems, and closely monitor login and authentication activity.

FAQs

What is an advanced persistent threat group?

An advanced persistent threat group is a well-resourced cyber intrusion team that conducts long-term, targeted attacks, often linked to state interests or strategic intelligence collection.

What is Cobalt Strike, and why do attackers use it?

Cobalt Strike is a legitimate penetration-testing tool used to simulate cyberattacks. Threat actors often deploy cracked versions of the software to create remote access beacons inside compromised networks.

How does command and control through Google Drive work?

Attackers can store encrypted instructions or stolen data in files hosted on Google Drive and retrieve them remotely, allowing the cloud platform to function as a covert communication channel.

Why are government organizations frequent targets?

Government networks often contain diplomatic communications, policy documents, and strategic intelligence that can provide adversaries with geopolitical advantages.

What defensive measures help detect campaigns like this?

Organizations can monitor unusual service modifications, inspect suspicious shortcut files, detect abnormal use of administrative tools, and analyze outbound cloud traffic for encrypted or unusual command patterns.