A China aligned cyber espionage group tracked as Ink Dragon has intensified its operations against government organizations, with a noticeable focus on European targets since July 2025. The campaign remains active and continues to impact entities across Southeast Asia and South America.
Security researchers at Check Point Research are monitoring the activity cluster, which is also known within the cybersecurity community as Jewelbug, CL-STA-0049, Earth Alux, and REF7707. Analysts assess the group to have been operational since at least March 2023 and capable of conducting long term, stealthy intrusions.
According to a technical analysis released this week, the threat actor demonstrates a high level of operational discipline and software engineering expertise. By relying heavily on native system tools and trusted enterprise components, the attackers are able to blend malicious activity into normal network telemetry, making detection significantly more difficult.
Eli Smadja, group manager of Products R&D at Check Point Software, confirmed that the campaign is ongoing and has affected dozens of victims. Impacted organizations include government bodies and telecommunications providers across Europe, Asia, and Africa.
The group first gained wider attention in February 2025 following disclosures from Elastic Security Labs and Palo Alto Networks Unit 42, which documented the use of the FINALDRAFT backdoor, also known as Squidoor. This malware supports both Windows and Linux platforms and enables long term remote access. More recently, Ink Dragon was linked to a prolonged intrusion targeting a Russian IT services company.
Attack chains typically begin with the exploitation of vulnerable, internet exposed web applications. Once access is obtained, web shells are deployed and used to deliver additional payloads such as VARGEIT and Cobalt Strike beacons. These tools support command and control operations, internal discovery, lateral movement, evasion of defenses, and large scale data exfiltration.
Another backdoor associated with the group is NANOREMOTE, which abuses the Google Drive API to move files between infected systems and command servers. While this malware was not directly observed in the latest investigations, researchers believe the actor selectively deploys tools based on the target environment and operational objectives.
A defining feature of the campaign is the abuse of misconfigured ASP.NET machine keys to conduct ViewState deserialization attacks against vulnerable IIS and SharePoint servers. Compromised systems are then equipped with a custom ShadowPad IIS Listener module, effectively transforming them into relay nodes within the attacker’s command and control infrastructure. This design allows compromised servers to proxy traffic and commands, improving resilience and stealth.
Researchers noted that these compromised servers can function as stepping stones across different victim networks, enabling a distributed, multi layer infrastructure. The listener module also allows execution of arbitrary commands, reconnaissance, and payload staging directly on IIS hosts.
Ink Dragon has also been observed exploiting ToolShell SharePoint vulnerabilities to deploy web shells. Additional post compromise activity includes lateral movement via stolen administrative credentials, persistence through scheduled tasks and services, credential harvesting from LSASS memory, registry hive extraction, and firewall rule manipulation to enable outbound traffic.
In at least one confirmed case, the attackers identified a disconnected RDP session belonging to a Domain Administrator. By extracting authentication material retained in memory, they achieved SYSTEM level access and ultimately obtained domain wide control by exfiltrating NTDS.dit and related registry files.
Rather than relying on a single monolithic backdoor, the intrusions utilize multiple components to maintain persistence. These include ShadowPad loaders, memory based shellcode loaders using Microsoft debugging tools, credential dumpers, encrypted payload loaders, and an advanced version of FINALDRAFT that abuses Outlook and the Microsoft Graph API for command and control.
Check Point researchers report that the latest FINALDRAFT variant introduces improved stealth, higher data exfiltration throughput, and modular command execution. Commands are delivered as encoded documents to a victim’s mailbox, retrieved by the implant, decrypted, and executed locally.
Investigators also identified traces of another China linked threat actor, REF3927, also known as RudePanda, within several environments compromised by Ink Dragon. Despite overlapping access methods, there is no evidence suggesting coordination between the two groups.
Security experts warn that Ink Dragon represents an advanced threat model where compromised hosts double as command infrastructure. Each new breach strengthens a broader attacker controlled network, making containment significantly more challenging unless the entire relay chain is dismantled.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
