Cybersecurity researchers are tracking a sustained cyber‑espionage campaign conducted by a China‑aligned threat actor known as Ink Dragon, which has increasingly targeted government organizations across Europe since mid‑2025. The group continues to operate globally, with additional victims identified in Southeast Asia, South America, and Africa.
The activity cluster, also known as Jewelbug, is monitored by Check Point Research under the Ink Dragon designation and is referenced elsewhere as CL‑STA‑0049, Earth Alux, and REF7707. Analysts assess that the group has been active since at least March 2023, demonstrating a high level of operational maturity.
A Stealthy and Well‑Engineered Threat Actor
According to Check Point, Ink Dragon’s campaigns stand out due to their disciplined tradecraft and reliance on platform‑native tools, enabling the attackers to blend malicious activity into legitimate enterprise telemetry.
“The actor’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse native tools, making the intrusions both effective and difficult to detect,” Check Point noted in its technical analysis.
Eli Smadja, Group Manager of Products R&D at Check Point Software, confirmed that the campaign remains active and has already affected several dozen victims, including government agencies and telecommunications providers across multiple regions.
FINALDRAFT and ShadowPad at the Core of the Campaign
Ink Dragon first drew widespread attention in February 2025, when Elastic Security Labs and Palo Alto Networks Unit 42 disclosed its use of a sophisticated backdoor known as FINALDRAFT (also called Squidoor). The malware supports both Windows and Linux environments and has since evolved into a more stealthy and modular toolset.
More recently, the group has been linked to a five‑month intrusion against a Russian IT services provider, further highlighting its long‑term persistence capabilities.
Attack chains typically begin with the exploitation of internet‑facing web applications, allowing attackers to deploy web shells. These footholds are then used to deliver additional payloads, including VARGEIT and Cobalt Strike beacons, enabling:
- Command‑and‑control (C2) communications
- Internal reconnaissance
- Lateral movement
- Defense evasion
- Data exfiltration
Another tool in the group’s arsenal is NANOREMOTE, a backdoor that leverages the Google Drive API for covert file transfer. While Check Point did not observe NANOREMOTE in its own investigations, researchers believe the group selectively deploys tools based on the victim’s environment and operational objectives.
Abuse of IIS, SharePoint, and ShadowPad Infrastructure
Ink Dragon has also been observed exploiting misconfigured or publicly known ASP.NET machine keys to conduct ViewState deserialization attacks against vulnerable IIS and SharePoint servers. Successful exploitation allows the attackers to install a custom ShadowPad IIS Listener module, effectively converting compromised servers into relay nodes within their C2 infrastructure.
This design enables attackers to proxy commands and traffic not only within a single organization, but across multiple victim networks, increasing resilience and operational reach.
“One compromised server can quietly become another hop in a global, multi‑layered infrastructure, supporting campaigns elsewhere,” Check Point explained.
The IIS listener module also supports remote command execution, system reconnaissance, and payload staging, giving operators granular control over infected systems.
Advanced Post‑Exploitation Techniques
In addition to abusing ASP.NET ViewState flaws, Ink Dragon has weaponized ToolShell SharePoint vulnerabilities to deploy web shells. Subsequent post‑exploitation activities include:
- Extracting local administrative credentials from IIS machine keys
- Lateral movement via RDP tunnels
- Establishing persistence through scheduled tasks and services
- Dumping LSASS memory and extracting registry hives
- Modifying firewall rules to enable outbound traffic
- Transforming infected systems into ShadowPad relay nodes
In at least one confirmed incident, the attackers identified an idle Domain Administrator RDP session authenticated via NTLMv2 fallback. By extracting residual credentials from LSASS memory, Ink Dragon achieved domain‑wide privilege escalation, exfiltrating NTDS.dit and registry data.
Modular Malware Ecosystem
Rather than relying on a single monolithic backdoor, Ink Dragon employs a modular malware framework to maintain long‑term access. Identified components include:
- ShadowPad Loader – decrypts and executes the core ShadowPad module in memory
- CDBLoader – abuses Microsoft’s
cdb.exedebugger to run shellcode - LalsDumper – extracts LSASS memory dumps
- 032Loader – decrypts and launches additional payloads
- FINALDRAFT (updated variant) – abuses Microsoft Outlook and the Graph API for covert C2 communication
Check Point reports that newer FINALDRAFT variants offer enhanced stealth, higher data exfiltration throughput, and advanced evasion techniques, enabling multi‑stage deployments across compromised networks.
Overlapping Intrusions with Other China‑Linked Groups
Researchers also detected traces of another China‑aligned threat actor, REF3927 (aka RudePanda), within several Ink Dragon victim environments. While there is no evidence of direct operational coordination, both groups appear to have exploited the same initial access vectors.
A Growing, Victim‑Powered Attack Network
Check Point concludes that Ink Dragon represents a new threat model, where compromised hosts double as operational infrastructure.
Defenders are therefore urged to treat intrusions not as isolated incidents, but as potential components of a broader attacker‑managed ecosystem. Without dismantling the full relay chain, removing individual footholds may prove insufficient.
Ink Dragon’s relay‑centric ShadowPad architecture is among the most advanced observed to date, offering a clear blueprint for long‑term, multi‑organization cyber‑espionage operations built directly on compromised victim networks.