Ink Dragon, tracked by Check Point Research and known by multiple aliases including Jewelbug and CL-STA-0049, is a China-aligned APT group active since at least March 2023. The group has escalated its focus on European government targets since mid-2025 while maintaining operations in Southeast Asia and South America. Ink Dragon leverages a diverse malware arsenal including ShadowPad, FINALDRAFT (also called Squidoor), NANOREMOTE, and custom backdoors to infiltrate and persist within victim networks. Initial access is often gained through exploitation of vulnerable internet-exposed web applications, such as ASP.NET servers with misconfigured machine keys enabling ViewState deserialization attacks, and SharePoint servers vulnerable to ToolShell flaws. These exploits allow the deployment of web shells, which serve as footholds for delivering additional payloads like VARGEIT and Cobalt Strike beacons. The group uses these tools for command-and-control, reconnaissance, lateral movement, and data exfiltration. Notably, Ink Dragon installs a ShadowPad IIS Listener module on compromised servers, turning them into resilient C2 proxies that facilitate multi-hop traffic routing across different victim networks, effectively creating a global relay network. This architecture enhances stealth and operational resilience, making eradication challenging. The group employs advanced privilege escalation techniques, including dumping LSASS memory to extract credentials and NTLM hashes, enabling domain-wide control and lateral movement via RDP tunnels. Persistence is maintained through scheduled tasks, service installations, and firewall modifications to allow outbound traffic. FINALDRAFT malware uses a modular command framework that pushes encoded commands via victim mailboxes, leveraging Outlook and Microsoft Graph API for stealthy C2 communication. Ink Dragon’s operational playbook emphasizes blending malicious activity with legitimate enterprise telemetry, complicating detection. The group’s multi-component toolkit and relay-centric infrastructure represent a mature, long-term espionage strategy. Additionally, some victim environments show concurrent intrusions by another threat actor, REF3927 (RudePanda), though no operational link is established. Overall, Ink Dragon exemplifies a sophisticated, stealthy cyber espionage campaign targeting sensitive government and telecom sectors with significant operational complexity and persistence.

European organizations, particularly government agencies and telecommunications providers, face substantial risks from Ink Dragon’s campaigns. The threat actor’s ability to gain initial access through common web application vulnerabilities and then establish resilient, multi-hop command infrastructures means that breaches can persist undetected for extended periods. This persistence enables extensive espionage activities, including the exfiltration of sensitive government data, strategic communications, and intellectual property. The use of compromised hosts as relays across multiple victim networks increases the potential for cross-organization contamination, complicating incident response and remediation efforts. The exploitation of domain administrator sessions and extraction of NTDS.dit and registry hives can lead to full domain compromise, threatening the confidentiality, integrity, and availability of critical systems. The stealthy nature of the malware and its blending with legitimate traffic reduce the likelihood of timely detection, increasing the window for data theft and operational disruption. The threat also poses risks to national security and critical infrastructure, given the targeting of government and telecom sectors. The multi-regional scope of the attacks, including Europe, Asia, and Africa, indicates a broad strategic intent, with European entities likely targeted due to geopolitical considerations and the value of their data. The complexity and sophistication of the attack chain require advanced detection capabilities and coordinated defense strategies to mitigate impact effectively.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics used by Ink Dragon. First, ensure all internet-facing web applications, especially IIS and SharePoint servers, are fully patched and hardened against known vulnerabilities such as ASP.NET ViewState deserialization and ToolShell flaws. Regularly audit and rotate ASP.NET machine keys to prevent exploitation. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying stealthy behaviors like LSASS dumping, unusual scheduled tasks, and service creations. Monitor network traffic for anomalous outbound connections, especially those mimicking legitimate enterprise telemetry or using cloud APIs like Microsoft Graph and Google Drive. Implement strict network segmentation to limit lateral movement and isolate critical assets. Enforce strong multi-factor authentication (MFA) for RDP and administrative access, and monitor for idle or disconnected sessions that could be hijacked. Conduct regular credential hygiene, including detection of NTLM fallback usage and token theft attempts. Employ threat hunting focused on detecting ShadowPad and FINALDRAFT indicators, including memory-resident payloads and encoded mailbox commands. Establish comprehensive logging and correlation across endpoints, mail systems, and network devices to detect multi-hop relay activity. Finally, develop incident response plans that consider the attacker’s relay-centric infrastructure, emphasizing the identification and dismantling of the entire attacker-controlled mesh rather than isolated nodes. Collaboration with national cybersecurity agencies and sharing of threat intelligence within Europe will enhance detection and mitigation efforts.