The Ink Dragon threat actor has launched a new wave of cyber espionage attacks primarily targeting government entities across Europe, Southeast Asia, and South America. The group leverages misconfigurations in Microsoft Internet Information Services (IIS) to gain initial footholds within victim networks. Once inside, Ink Dragon deploys a custom ShadowPad IIS Listener module, which transforms compromised IIS servers into active nodes within a victim-based relay network. This relay network forms a distributed mesh that facilitates stealthy command and control (C2) communications, making detection and attribution more challenging. The actor has also introduced a new variant of the FinalDraft malware, enhancing their toolset for persistence and data exfiltration. Their operational methodology combines advanced software engineering with disciplined operational playbooks, utilizing platform-native tools and living-off-the-land techniques to evade detection by blending malicious activity into normal enterprise telemetry. The campaign’s stealth and sophistication indicate a well-resourced and patient adversary focused on long-term intelligence gathering. Although no public exploits are currently known, the exploitation of IIS misconfigurations remains a critical vector. The presence of numerous file hashes associated with the malware and tools provides indicators of compromise (IOCs) for detection. Overall, Ink Dragon’s approach exemplifies modern advanced persistent threat (APT) tactics, emphasizing stealth, resilience, and operational security.

For European organizations, particularly government entities, this campaign poses significant risks to confidentiality, integrity, and availability of sensitive information and critical infrastructure. The exploitation of IIS misconfigurations can lead to unauthorized access, allowing attackers to establish persistent footholds and use compromised servers as relay nodes, complicating incident response and forensic investigations. The victim-based relay network can facilitate lateral movement and data exfiltration while evading traditional network defenses. The stealthy use of platform-native tools and disciplined operational playbooks increases the likelihood of prolonged undetected intrusions, potentially resulting in loss of sensitive government data, disruption of services, and erosion of trust in public institutions. The medium severity rating reflects the targeted nature and complexity of the threat, which, if unmitigated, could escalate to critical impacts depending on the value of compromised assets. Additionally, the campaign’s focus on government targets aligns with geopolitical espionage motives, raising concerns about national security and diplomatic confidentiality within Europe.

1. Conduct thorough audits and hardening of IIS configurations to eliminate misconfigurations that could be exploited for initial access. 2. Implement strict access controls and least privilege principles on IIS servers and related infrastructure. 3. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying ShadowPad and FinalDraft malware behaviors, including monitoring for unusual IIS listener modules. 4. Monitor network traffic for signs of relay network activity, such as anomalous internal-to-internal communications and unexpected proxying behaviors. 5. Utilize threat intelligence feeds to incorporate the provided file hashes and IOCs into detection tools and SIEM systems. 6. Segment networks to limit lateral movement and isolate critical government systems from general enterprise networks. 7. Employ behavioral analytics to detect living-off-the-land techniques and platform-native tool abuse. 8. Regularly update and patch IIS servers and related software to reduce attack surface. 9. Conduct red team exercises simulating similar attack vectors to test detection and response capabilities. 10. Establish incident response plans specifically addressing stealthy relay networks and advanced persistent threats targeting government sectors.