China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware
Summary:
Ink Dragon, a sophisticated espionage cluster, also known in the industry as Earth Alux, Jewelbug, or REF7707, has significantly expanded its operational footprint from Southeast Asia and South America into European government networks. The group’s primary objective remains long-term intelligence collection, achieved through a blend of custom malware and disciplined operational playbooks. Their recent campaigns are characterized by the exploitation of long-known vulnerabilities, such as Microsoft IIS and SharePoint ViewState deserialization, alongside early access to newer flaws like the ToolShell vulnerability. A defining feature of their latest operations is the creation of a massive, distributed relay network. By deploying a custom "ShadowPad IIS Listener" module, Ink Dragon converts compromised victim servers into active command-and-control (C2) nodes. This mesh-like infrastructure allows the attackers to route malicious traffic across different victim organizations, effectively turning targets into an obfuscated proxy network that masks the true origin of the operators.
Security Officer Comments:
The most alarming development is Ink Dragon’s shift from utilizing dedicated C2 infrastructure to a victim-based "relay mesh." This strategy serves two primary purposes: it makes traditional IP-based blacklisting largely ineffective and complicates attribution by making legitimate government or corporate IP addresses appear as the source of attacks. The group’s continued success with ViewState deserialization suggests that many high-value targets still struggle with patching legacy IIS configurations, which the actors exploit with "solid software engineering." Their move into Europe, specifically targeting government and telecom sectors, aligns with a broader trend of Chinese-aligned APTs diversifying their geographic focus to support shifting geopolitical requirements. Furthermore, the use of "FinalDraft"—a backdoor that mimics Microsoft cloud activity and communicates via mailbox drafts, highlights an advanced level of evasion intended to bypass standard EDR and NDR solutions by blending in with legitimate enterprise SaaS traffic.
Suggested Corrections:
Defenders should prioritize the hardening of public-facing web infrastructure, specifically Microsoft IIS and SharePoint servers, by ensuring all security patches are applied and that ViewState MAC validation is strictly enforced to prevent deserialization attacks. It is critical to monitor for unauthorized IIS modules; organizations should implement integrity checks on the web[.]config files and the IIS GlobalModules configuration to detect the injection of custom listener modules like the one used by Ink Dragon. Since this actor heavily leverages lateral movement via RDP and credential harvesting, organizations should enforce Multi-Factor Authentication (MFA) across all administrative accounts and utilize "Privileged Access Workstations" (PAW) for domain management. Network-level defenses should include outbound traffic filtering, specifically looking for unusual "Any to Any" firewall rules that may have been created by the actor, and the implementation of SSL/TLS inspection to identify the non-standard patterns hidden within the ShadowPad or FinalDraft communication protocols.
Link(s):
https://thehackernews.com/2025/12/china-linked-ink-dragon-hacks.html
Ink Dragon, a sophisticated espionage cluster, also known in the industry as Earth Alux, Jewelbug, or REF7707, has significantly expanded its operational footprint from Southeast Asia and South America into European government networks. The group’s primary objective remains long-term intelligence collection, achieved through a blend of custom malware and disciplined operational playbooks. Their recent campaigns are characterized by the exploitation of long-known vulnerabilities, such as Microsoft IIS and SharePoint ViewState deserialization, alongside early access to newer flaws like the ToolShell vulnerability. A defining feature of their latest operations is the creation of a massive, distributed relay network. By deploying a custom "ShadowPad IIS Listener" module, Ink Dragon converts compromised victim servers into active command-and-control (C2) nodes. This mesh-like infrastructure allows the attackers to route malicious traffic across different victim organizations, effectively turning targets into an obfuscated proxy network that masks the true origin of the operators.
Security Officer Comments:
The most alarming development is Ink Dragon’s shift from utilizing dedicated C2 infrastructure to a victim-based "relay mesh." This strategy serves two primary purposes: it makes traditional IP-based blacklisting largely ineffective and complicates attribution by making legitimate government or corporate IP addresses appear as the source of attacks. The group’s continued success with ViewState deserialization suggests that many high-value targets still struggle with patching legacy IIS configurations, which the actors exploit with "solid software engineering." Their move into Europe, specifically targeting government and telecom sectors, aligns with a broader trend of Chinese-aligned APTs diversifying their geographic focus to support shifting geopolitical requirements. Furthermore, the use of "FinalDraft"—a backdoor that mimics Microsoft cloud activity and communicates via mailbox drafts, highlights an advanced level of evasion intended to bypass standard EDR and NDR solutions by blending in with legitimate enterprise SaaS traffic.
Suggested Corrections:
Defenders should prioritize the hardening of public-facing web infrastructure, specifically Microsoft IIS and SharePoint servers, by ensuring all security patches are applied and that ViewState MAC validation is strictly enforced to prevent deserialization attacks. It is critical to monitor for unauthorized IIS modules; organizations should implement integrity checks on the web[.]config files and the IIS GlobalModules configuration to detect the injection of custom listener modules like the one used by Ink Dragon. Since this actor heavily leverages lateral movement via RDP and credential harvesting, organizations should enforce Multi-Factor Authentication (MFA) across all administrative accounts and utilize "Privileged Access Workstations" (PAW) for domain management. Network-level defenses should include outbound traffic filtering, specifically looking for unusual "Any to Any" firewall rules that may have been created by the actor, and the implementation of SSL/TLS inspection to identify the non-standard patterns hidden within the ShadowPad or FinalDraft communication protocols.
Link(s):
https://thehackernews.com/2025/12/china-linked-ink-dragon-hacks.html