analyst @ nohacky :~/threat-actors $
cat / threat-actors / apt41-silver-dragon
analyst@nohacky:~/threat-actors/apt41-silver-dragon.html
active threat profile
type APT / Nation-State
threat_level Critical
status Active
origin China
last_updated 2026-03-13
41
apt41-silver-dragon

APT41 / Silver Dragon

also known as: Winnti Barium Double Dragon Wicked Panda Wicked Spider Bronze Atlas Blackfly
A prolific Chinese state-linked threat group that has operated since at least 2012, notable for conducting both state-sponsored espionage and financially motivated cybercrime simultaneously. APT41 has compromised over 100 organizations across more than a dozen countries, targeting everything from telecom providers and healthcare systems to video game companies. In 2020, the U.S. Department of Justice indicted five of its members — none of whom have been apprehended. The group's Silver Dragon sub-cluster, identified by Check Point in March 2026, uses Google Drive as covert C2 infrastructure against government targets across Southeast Asia and Europe.
attributed origin China
suspected sponsor MSS / Chengdu 404
first observed ~2012
primary motivation Espionage + Financial (dual-track)
primary targets Government, Healthcare, Telecoms, Gaming, Tech
DOJ indictments 5 Chinese nationals + 2 Malaysian
mitre att&ck group G0096
target regions Global — USA, Europe, SE Asia, East Asia
threat level CRITICAL

Overview

APT41 is one of the most versatile and prolific Chinese threat groups ever tracked. What makes it unusual — and dangerous — is its dual mandate: the group conducts both state-directed espionage on behalf of Chinese intelligence and financially motivated cybercrime that appears to operate outside of direct government control. Researchers have described a tacit arrangement in which the Chinese government tolerates APT41's criminal operations in exchange for the group carrying out espionage campaigns that serve national intelligence priorities.

The group is linked to a company called Chengdu 404 Network Technology, which investigators identified as the legal front for the group's operations. Chengdu 404 built a data analytics tool called "SonarX" that functioned as a searchable repository of social media information harvested from compromised networks. Investigators confirmed that SonarX was used to search for individuals connected to Hong Kong's pro-democracy movement and to monitor media outlets covering China's treatment of Uyghurs in Xinjiang.

In September 2020, the U.S. Department of Justice unsealed indictments against five Chinese nationals and two Malaysian associates, charging them with computer intrusions affecting more than 100 victim organizations worldwide. The indictments had no visible impact on the group's operations — researchers at multiple firms confirmed APT41 continued operating without interruption, and that the group was aware of public reporting about its activities.

The Silver Dragon sub-cluster, tracked since mid-2024, represents the latest evolution of APT41's operational model. Identified by Check Point Research in March 2026, Silver Dragon targets government ministries across Southeast Asia and Europe using Cobalt Strike for persistence and Google Drive as a covert command-and-control channel. The sub-cluster demonstrates that APT41's tradecraft continues to evolve even under sustained public scrutiny.

critical

APT41 is one of a small number of threat groups known to conduct supply chain attacks at scale, poisoning legitimate software updates to distribute malware to thousands of downstream victims. Organizations relying on third-party software should treat APT41's supply chain capabilities as a tier-one risk.

Target Profile

APT41's targeting is unusually broad compared to other state-sponsored groups, reflecting its dual espionage and financial motivations.

  • Government entities: Ministries, diplomatic missions, and public sector organizations across Southeast Asia and Europe. The Silver Dragon sub-cluster focuses almost exclusively on this sector.
  • Healthcare and pharmaceuticals: Targeted aggressively during the COVID-19 pandemic for medical research intelligence and intellectual property.
  • Telecommunications: Persistent targeting of telecom providers for call data records, subscriber information, and communications surveillance capability.
  • Technology and software companies: Targeted for source code, code signing certificates, and supply chain access to downstream customers.
  • Video game industry: Financially motivated attacks to generate in-game currency and digital items for resale. The group has been known to eliminate competing criminal groups operating within the same compromised game networks.
  • Higher education and think tanks: Targeted for research intelligence and as staging points into government networks.
  • Pro-democracy movements: The group specifically targeted Hong Kong pro-democracy activists and politicians, and monitored media covering Uyghur issues in Xinjiang.

Tactics, Techniques & Procedures

mitre id technique description
T1195.002 Supply Chain Compromise Signature capability. APT41 has poisoned legitimate software updates to distribute malware to downstream victims at scale, including modifying source code within compromised development environments.
T1190 Exploit Public-Facing Application Rapidly exploits newly disclosed vulnerabilities in Cisco, Citrix, Zoho, and other perimeter devices, often within hours of public disclosure.
T1574.014 AppDomainManager Injection Silver Dragon sub-cluster deploys MonikerLoader via .NET AppDomain hijacking to decrypt and execute Cobalt Strike payloads in memory, minimizing disk artifacts.
T1574.002 DLL Side-Loading Uses legitimate signed binaries to sideload malicious DLLs, including BamboLoader variants that use RC4 decryption followed by LZNT1 decompression.
T1102 Web Service (Cloud C2) Silver Dragon's GearDoor backdoor uses Google Drive as its C2 channel, authenticating via service accounts and using file extensions (.png, .pdf, .cab) to indicate task types.
T1071.004 DNS Tunneling Uses DNS-based C2 communication with Cobalt Strike beacons to bypass network-level detection mechanisms at the perimeter.
T1543.003 Windows Service Persistence Hijacks legitimate Windows services by stopping, deleting, and recreating them with malicious DLL loaders registered under names impersonating real Windows components.
T1059.001 PowerShell Phishing chain uses oversized LNK attachments embedding PowerShell that extracts payloads, drops decoy PDFs, and sideloads BamboLoader via legitimate GameHook.exe.

Known Campaigns

Silver Dragon Government Espionage Campaign 2024–2026

Sub-cluster targeting government ministries in Southeast Asia and Europe via Cobalt Strike beacons with Google Drive-based C2. Uses AppDomain hijacking, malicious service DLLs, and phishing with weaponized LNK files. GearDoor backdoor enables covert tasking through trusted cloud infrastructure.

Read NoHacky briefing
Operation CuckooBees 2019–2021

Years-long intellectual property theft operation targeting technology and manufacturing companies across North America, Europe, and East Asia. Used previously undocumented malware including DEPLOYLOG and digitally signed kernel-level rootkits. Abused the Windows Common Log File System (CLFS) to conceal payloads from security products.

Global Intrusion Campaign (DOJ Indictment) 2012–2020

Multi-year campaign compromising over 100 organizations worldwide, including software companies, hardware manufacturers, telecoms, gaming companies, universities, and foreign governments. Led to 2020 DOJ indictments against five Chinese nationals and two Malaysian associates. Included supply chain attacks, ransomware deployment, and illicit cryptomining operations.

Video Game Industry Conspiracy 2014–2020

Financially motivated operation targeting video game companies in the U.S., France, Japan, Singapore, and South Korea. Generated and sold in-game currency and digital items. Used unauthorized access to actively sabotage competing criminal groups operating within the same compromised networks.

Tools & Malware

APT41 maintains an extensive arsenal spanning custom tooling, commodity frameworks, and supply chain-capable implants.

  • Cobalt Strike: Primary post-exploitation framework. Silver Dragon uses cracked-watermark beacons with hybrid HTTP/DNS profiles and SMB-based lateral C2 inside victim networks.
  • GearDoor: .NET backdoor communicating via Google Drive. Authenticates with attacker-controlled service accounts, uses file extensions to indicate task types (.png for heartbeat, .pdf for commands, .cab for host recon).
  • MonikerLoader / BamboLoader: Custom .NET loaders that decrypt second-stage payloads in memory using RC4 decryption followed by LZNT1 decompression. AppDomain hijacking variant avoids writing artifacts to disk.
  • SilverScreen: .NET screen-monitoring tool capturing periodic screenshots with precise cursor positioning for real-time surveillance of user activity.
  • SSHcmd: .NET command-line SSH utility for remote command execution and file transfer across compromised hosts.
  • DEPLOYLOG: Custom malware used in Operation CuckooBees alongside PRIVATELOG and WINNKIT kernel-level rootkit.
  • SonarX: Chengdu 404's proprietary data analytics platform used to search social media data harvested from compromised networks for intelligence on persons of interest.
  • KEYPLUG / DUSTPAN: Custom backdoors used in earlier campaigns for persistent access to telecom and technology targets.

Mitigation & Defense

Defending against APT41 requires addressing both its supply chain capabilities and its abuse of legitimate cloud services.

  • Supply chain integrity: Verify code signing certificates and validate software updates through independent hash verification. Monitor for unexpected changes to deployed software packages, particularly from vendors in APT41's historical target list.
  • Cloud service monitoring: Implement detection for anomalous Google Drive API usage, particularly automated file operations from server processes. Block or alert on Google Service Account authentication from unexpected endpoints.
  • DLL sideloading defense: Enforce strict application allowlisting and monitor for legitimate executables loading unsigned or unexpected DLLs. Watch for service creation or modification that replaces legitimate DLL paths.
  • Network segmentation: Isolate development and build environments from production infrastructure. APT41 specifically targets software build pipelines for supply chain access.
  • Patch perimeter devices rapidly: APT41 consistently exploits newly disclosed vulnerabilities in Cisco, Citrix, and Zoho products within hours. Maintain a 24-48 hour patch window for internet-facing infrastructure.
  • DNS monitoring: Deploy detection for DNS tunneling patterns characteristic of Cobalt Strike beacons. Look for high-frequency, low-volume DNS queries to unusual domains.
analyst note

APT41's dual-track model — state espionage combined with personal financial gain — is believed to be a deliberate arrangement with Chinese intelligence services. The group's willingness to deploy ransomware and conduct cryptojacking alongside espionage operations makes it harder to attribute individual incidents and complicates threat intelligence analysis. Defenders should not assume that a financially motivated intrusion by Winnti-linked tooling is "just" cybercrime — it may be accompanied by quiet espionage collection on the same network.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile