A sophisticated Chinese threat actor tracked as Ink Dragon has been weaponizing a custom ShadowPad IIS Listener module to convert compromised servers into distributed relay nodes, according to research by Check Point Research.
The tactic represents a significant escalation in the group’s operational capabilities, enabling attackers to establish persistent, multi-layered command-and-control infrastructure that spans victim organizations globally.
Ink Dragon, also known by aliases including Earth Alux, Jewelbug, REF7707, and CL-STA-0049, has noted a sustained campaign targeting government, telecom, and public-sector infrastructure since at least early 2023.
While the group initially concentrated operations on Southeast Asia and South America, recent activities reveal an expanded focus on European government targets, signaling a geographic diversification of their espionage operations.
The custom ShadowPad IIS Listener module serves as the technical linchpin of the group’s infrastructure strategy.
By deploying this module across multiple compromised servers, attackers effectively transform each breached asset into a communication node capable of receiving, forwarding, and proxying commands.
This distributed mesh architecture allows attackers to route traffic not only deeper within a single organization’s network but also across different victim networks entirely.
Consequently, a single compromise becomes another hop in a global, multi-layered relay network supporting ongoing campaigns.
ShadowPad IIS Listener Discovered
The module operates with remarkable sophistication, masquerading as legitimate IIS components while providing covert command-and-control capabilities.
It utilizes realistic default configurations including paths like “C:inetpubwwwroot” and server type strings such as “Microsoft-IIS/10.0” to blend seamlessly into standard Windows Server installations.
The listener intercepts HTTP requests matching attacker-configured URL patterns while handling non-conforming requests as regular IIS traffic, maintaining operational stealth.
Initial access to target networks relies on exploitation of long-known but persistent vulnerabilities. Ink Dragon continues leveraging ASP.NET ViewState deserialization attacks through publicly disclosed machine keys, a technique that remains effective despite years of public awareness within the security community.
The group has also demonstrated early access to the ToolShell SharePoint vulnerability chain, conducting mass scanning operations in July 2025.
This multi-vector approach demonstrates practical scalability against large organizations with inconsistent web configurations.
Once established, the ShadowPad IIS module maintains two concurrent registries of peers: server and client lists. Nodes can register themselves into either category, with server entries periodically revalidated every 30 seconds to confirm ongoing availability.
Detection Challenges
Clients remaining unpaired for 30 seconds are automatically pruned to prevent stale links. This design enables sophisticated relay topology management across compromised infrastructure.
Beyond the relay logic itself, the module leaves behind an unusually rich forensic artifact: debug strings that document the number of bytes it forwards between external and internal IP addresses.
The module’s command architecture operates on two parallel tracks: relay network construction and traditional backdoor functionality.
Beyond establishing peer-to-peer communication, the module functions as a fully capable ShadowPad backdoor, enabling operators to conduct host reconnaissance, file operations, data collection, payload staging, and aggressive lateral movement.
This dual-purpose design reflects Ink Dragon’s mature development model and modular tooling philosophy.
Notably, Ink Dragon has introduced a new FinalDraft backdoor variant featuring enhanced stealth capabilities and higher exfiltration throughput, coupled with advanced evasion techniques enabling stealthy lateral movement.
The forensic analysis of a compromised European government office reveals the complete kill chain: web-centric initial access, hands-on-keyboard activity, staged loaders, privilege escalation, credential harvesting, and rapid domain dominance achievement.
Organizations should prioritize securing public-facing IIS and SharePoint servers, implementing strong machine key management practices, and monitoring for suspicious HTTP listener registration activity as critical defensive measures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.