EXECUTIVE SUMMARY
Researchers reported a cyber campaign linked to a group called Silver Dragon that is targeting organizations in Southeast Asia and parts of Europe. The activity shows links to other operations connected to a broader ecosystem of groups that carry out long-term cyber espionage. The campaign mainly focuses on government-related organizations and uses a mix of phishing emails and exploitation of exposed internet servers to gain initial access. In several cases, the attackers targeted public-facing systems and used them as entry points into internal networks. Phishing emails were also used to deliver malicious attachments designed to run harmful commands when opened by victims. After gaining access, the attackers quickly deploy tools that allow them to control the compromised system remotely and move deeper into the network. One of the common tools observed in the campaign is Cobalt Strike, which allows attackers to run commands, collect data, and communicate with their command infrastructure. The attackers also rely on hidden communication methods such as DNS tunneling to send and receive commands without raising suspicion.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Researchers reported a cyber campaign linked to a group called Silver Dragon that is targeting organizations in Southeast Asia and parts of Europe. The activity shows links to other operations connected to a broader ecosystem of groups that carry out long-term cyber espionage. The campaign mainly focuses on government-related organizations and uses a mix of phishing emails and exploitation of exposed internet servers to gain initial access. In several cases, the attackers targeted public-facing systems and used them as entry points into internal networks. Phishing emails were also used to deliver malicious attachments designed to run harmful commands when opened by victims. After gaining access, the attackers quickly deploy tools that allow them to control the compromised system remotely and move deeper into the network. One of the common tools observed in the campaign is Cobalt Strike, which allows attackers to run commands, collect data, and communicate with their command infrastructure. The attackers also rely on hidden communication methods such as DNS tunneling to send and receive commands without raising suspicion.[emaillocker id="1283"]
The attackers use several methods to run malware and keep control of compromised systems. One method involves a technique known as AppDomain hijacking, where malicious configuration files are placed next to trusted Windows files. When the trusted file runs, it loads the attacker’s malicious code instead of normal components. In this chain, a loader decrypts hidden code and runs it directly in memory, which then launches a Cobalt Strike beacon. This beacon allows the attackers to send commands, download files, and move inside the network. Another method used in the campaign involves creating a malicious Windows service. The attackers register a harmful dynamic library as a service so that it runs automatically in the system. This loader decrypts shellcode using RC4 and then injects the payload into newly created processes, allowing the malware to run without being easily detected. Researchers also observed phishing attacks that deliver malicious shortcut files. These files contain hidden commands that run PowerShell scripts when opened. The script extracts several files to a temporary folder and executes them on the system. During the analysis, multiple custom tools were discovered. These include a tool that captures screenshots of the user’s screen, a command tool that allows remote execution and file transfer through SSH, and a backdoor that uses Google Drive to send commands and transfer data between infected systems and the attackers.
The Silver Dragon campaign shows a coordinated effort that uses different techniques to gain access, run malware, and keep long-term control of infected systems. The attackers combine server exploitation, phishing emails, and custom malware tools to enter targeted environments and collect information. By using techniques such as AppDomain hijacking, service-based loaders, and hidden PowerShell commands, the attackers can run malicious code while avoiding easy detection. The use of tools like Cobalt Strike also helps them manage compromised machines and move across networks. In addition to standard post-exploitation tools, the campaign includes custom implants designed to monitor user activity and collect information from infected devices. The screenshot-capturing tool allows attackers to watch what users are doing on their systems, while other tools enable command execution and file transfer. Another notable feature of the campaign is the use of Google Drive as a communication channel, which helps the attackers hide their activity within normal cloud traffic. These techniques show that the attackers are focused on maintaining long-term access while quietly gathering data from targeted organizations. The combination of multiple infection methods, custom tools, and hidden communication channels makes the campaign effective for long-term surveillance and information collection in the targeted regions.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| T1574.014 | Hijack Execution Flow | AppDomain Manager | |
| Defense Evasion | T1055.012 | Process Injection | Process Hollowing |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| Collection | T1113 | Screen Capture | — |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1071.004 | Application Layer Protocol | DNS |
| T1102.002 | Web Service | Bidirectional Communication |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]