Chinese state-sponsored hackers have been using Google Drive and Windows services to hide malware in attacks on government entities across Europe and Asia. The group, known as Silver Dragon, has been active since mid-2024, targeting organizations in Russia, Poland, Hungary, Italy, Japan, Myanmar, and Malaysia.

According to Check Point Research, the attackers begin with phishing emails impersonating official communications or compromise internet-exposed systems to gain deeper network access. At the campaign's core is a custom backdoor called GearDoor, which uses Google Drive folders as command-and-control infrastructure rather than traditional shady servers.

The hackers also hijack legitimate Windows services like Windows Update, Bluetooth, and .NET Framework utilities, stopping and recreating them to load malicious code with trusted names. This blending into normal system activity allows the attackers to persist undetected for longer periods, particularly in large environments where system services generate routine noise.