Chinese hackers hide malware within Windows and Google Drive to hit government targets

Chinese state-sponsored threat actors have been seen abusing legitimate Windows and Google Cloud services to hide their tracks as they spy on their targets across Southeast Asia and Europe.

A new report by Check Point Research (CPR) reveals how a group dubbed Silver Dragon has been active since at least mid-2024, targeting government entities in European countries such as Russia, Poland, Hungary, and Italy - but also Japan, Myanmar, and Malaysia.

Silver Dragon appears to be part of APT41, an infamous state-sponsored actor that engages mostly in cyber-espionage.

Leveraging regular "noise"

The attacks usually start with a phishing email, impersonating official communications and sharing weaponized documents and links. Alternatively, the group would go for internet-exposed systems, compromising servers and pivoting deeper into internal networks to deploy additional tools.

At the heart of the campaign is a custom backdoor called GearDoor which, instead of the usual shady server, uses Google Drive as its command-and-control (C2) infrastructure. Every infected machine creates a Google Cloud folder in a dedicated account, uploads periodic heartbeat data and retrieves operator commands disguised as regular files.

All stolen intelligence is exfiltrated into that same location.

Silver Dragon was also seen hijacking legitimate Windows services, stopping and recreating them to load malicious codes with trusted names. These include Windows Update, Bluetooth, and .NET Framework utilities.

By blending into normal system activity, the attackers are able to persist for longer on a system, without being spotted by defenders. CPR says the tactic works extremely well in large environments “where system services generate routine noise.”

The hackers also deploy a wide range of post-exploitation tools, such as SSHcmd, or Cobalt Strike. The former is a lightweight SSH utility that enables remote command execution and file transfer, while Cobalt Strike is a pentesting tool commonly abused by threat actors.

“Rather than relying solely on bespoke infrastructure, state-aligned actors increasingly embed themselves within legitimate enterprise systems and trusted cloud services. This reduces visibility for traditional perimeter defenses and extends dwell time inside targeted networks,” CPR concluded.

“For executive leadership, the implication is clear: exposure is no longer limited to obvious malware or suspicious external connections. Risk now includes subtle abuse of legitimate services, cloud platforms, and core operating system components.”

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.