Ink Dragon Expands Cyber Espionage to European Government Networks
Published
Key Takeaways
- New targets: The China-linked espionage group "Ink Dragon" targets government and telecommunications entities across Europe, Asia, and Africa.
- Stealth tactics: The group gains initial access by exploiting ASP.NET ViewState deserialization on IIS and SharePoint servers.
- Infrastructure co-option: Ink Dragon creates illicit relay nodes on compromised public-facing servers, masking the origin of their attack traffic.
A sophisticated Chinese cyberespionage operation, attributed to the threat actor group known as Ink Dragon, has broadened its scope to compromise dozens of government and telecommunications organizations across Europe, focusing on weaknesses such as misconfigured Microsoft IIS and SharePoint servers.
Methods of Infiltration and Persistence
According to recent threat intelligence from Check Point Research (CPR), this tactic enables them to infiltrate networks without triggering alarms associated with high-profile zero-day exploits. This low-and-slow approach is a hallmark of advanced persistent threats (APTs) focused on long-term intelligence gathering.
The Ink Dragon cyber campaign is characterized by its use of stealth and mimicry of legitimate network activity. After gaining initial access, the actors utilize reused credentials to move laterally within the victim's environment.
Notably, Ink Dragon, which overlaps with threat clusters publicly reported as Earth Alux, Jewelbug, REF7707, CL-STA-0049, among others, has updated its FinalDraft modular RAT to hide command-and-control (C2) traffic within mailbox drafts, further blending in with normal Microsoft cloud activity.
Once an account with domain-level privileges is compromised, the group establishes long-term persistence by deploying backdoors and implants, and it leverages these components:
- ShadowPad IIS Listener Module (Core C2 & relay node) – Intercepts selected IIS traffic, decrypts commands, builds a distributed relay network, and exposes a full ShadowPad backdoor on IIS servers.
- ShadowPad Loader (Payload delivery) – Triad structure (EXE + DLL + TMP) that decrypts and runs the ShadowPad core in memory while deleting artifacts.
- CDBLoader (Memory-resident payload execution) – Uses cdb.exe scripts to patch memory, run shellcode, and load AES-encrypted payloads via a debugger session.
- LalsDumper (LSASS dump extraction, Credential Access) – Registers a malicious SSP DLL in LSASS, extracts a compressed LSASS memory dump via custom direct-syscall logic.
- 032Loader (Host-dependent payload loader) – RC4-like decryption using the system’s InstallDate as entropy, delivering payloads via shared memory mapping.
FinalDraft RAT (Long-term espionage & cloud C2) – Modular RAT using Microsoft Graph API; supports exfiltration, RDP history harvesting, tunneling, scheduling, and mailbox-based command exchange.
Strategic Use of Relay Nodes
A key component of Ink Dragon's strategy involves co-opting victim infrastructure to create a network of relay nodes. By deploying custom IIS-based modules on compromised public-facing servers, the actors build a communication mesh that forwards commands and exfiltrates data between different victims.
This technique effectively obfuscates the true origin of the attack traffic, complicating attribution and incident response efforts.
The campaign highlights escalating cybersecurity threats to government network breaches, as state-sponsored actors refine their TTPs for long-term, clandestine operations.
An unrelated threat actor exploited the same exposed server vulnerability and operated in the same environments simultaneously. “Alongside Ink Dragon, a second threat actor known as RudePanda had quietly entered several of the same government networks,” added CPR.
Recently, the French government announced a data breach, and BreachForums claimed it reportedly impacted over 16 million individuals.
Earlier this month, WARP PANDA targeted the U.S. and Asia Pacific using BRICKSTORM, vCenter, ESXi, and stolen 365 tokens to reach virtual machines, and the Tomiris APT targeted diplomatic entities in a new November campaign using Reverse Shells, Havoc, and AdaptixC2 open-source frameworks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular