Ink Dragon, a Chinese espionage group, has significantly expanded its operational reach from Southeast Asia and South America into European government networks, according to ongoing research by Check Point Research.
The threat actor employs a methodical approach that combines strategic server compromises with sophisticated relay infrastructure to maintain persistent access and support global operations.
The group’s expansion reflects a disciplined campaign model characterized by extended dwell times and minimal detection signatures.
Ink Dragon notes compromised servers as relay nodes, turning victim organizations into unwitting infrastructure supporting broader espionage operations across multiple continents.
This approach enables the threat actor to obscure command and control traffic while maintaining operational resilience through distributed communication pathways.
Ink Dragon’s attack chain typically begins with reconnaissance of public-facing web infrastructure, targeting common configuration weaknesses in Microsoft IIS web servers and SharePoint deployments.
These entry points provide initial code execution with minimal visibility, allowing attackers to establish their first foothold in target networks.
Once established, the group focuses on lateral movement using legitimate administrative credentials and service accounts already present in the environment.
This technique allows Ink Dragon to blend seamlessly with regular enterprise activity, significantly reducing detection probability.
The attackers systematically collect local credentials, identify active administrator sessions, and exploit shared service accounts to traverse network segments.
The operation culminates with domain-level access acquisition, enabling comprehensive environmental mapping, policy manipulation, and persistent backdoor deployment across high-value systems. This staged approach prioritizes stealth and sustainability over rapid escalation.
Chinese Ink Dragon Threatens Cybersecurity
A defining characteristic of Ink Dragon’s operations is the systematic repurposing of compromised environments.
The group deploys customized IIS-based modules that convert public-facing servers into relay nodes, routing command traffic and supporting data between geographically dispersed victims.
This architectural approach creates a communication mesh that obscures the true origin of attack traffic, presenting itself as ordinary cross-organization activity to security monitoring systems.
The relay infrastructure provides multiple strategic advantages: operational resilience through redundant communication pathways, natural camouflage within standard HTTP traffic patterns, and extended utility from each compromised system.
Ink Dragon’s toolset continues advancing, with particular emphasis on cloud-aware capabilities.
The updated FinalDraft backdoor variant represents this evolution, specifically optimized to blend into Microsoft cloud activity patterns.
Rather than establishing suspicious external connections, the malware leverages Microsoft mailbox drafts for command traffic, effectively disguising communications as routine Microsoft service usage.
These refinements demonstrate a threat actor prioritizing operational stealth and long-term campaign sustainability.
Concurrent Threat Activity
Investigations revealed concurrent activity by an unrelated threat actor, RudePanda, operating within the same compromised government networks.
This latest iteration introduces controlled timing mechanisms that align check-ins with business hours, efficient background data transfer protocols, and comprehensive system profiling capabilities.
Both groups independently exploited identical public-facing vulnerabilities, demonstrating how a single unpatched weakness can attract multiple advanced persistent threat groups.
RudePanda deployed lightweight web tools and IIS modifications consistent with its standard operational approach.
For cybersecurity professionals, Ink Dragon’s operations underscore a critical principle: compromised systems warrant investigation as potential communication infrastructure for broader threat actor operations.
Complete actor removal requires identifying and disrupting the entire relay chain rather than addressing isolated compromises.
Organizations should prioritize comprehensive post-incident analysis to identify whether compromised systems have been repurposed as relay nodes supporting external operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.