Ink Dragon, a Chinese espionage group, has significantly expanded its operations from Southeast Asia and South America into European government networks.
This advancement marks a notable shift in the threat actor’s strategic focus, utilizing a blend of well-engineered tools combined with techniques that mimic standard enterprise activity.
The group’s expansion has been methodical and disciplined, allowing it to establish long-term access while remaining undetected for extended periods.
The malware campaign demonstrates a sophisticated understanding of network infrastructure and administrative processes.
Attackers begin by identifying vulnerabilities in publicly accessible systems, particularly web servers like Microsoft’s Internet Information Services (IIS) and SharePoint platforms.
These initial entry points often stem from simple configuration oversights, which provide sufficient access for planting malicious code with minimal detection risk.
Once the initial foothold is established, the operators move with calculated precision.
Check Point analysts noted that Ink Dragon leverages stolen credentials and dormant administrative sessions to navigate through compromised networks.
The attackers collect local credentials from their initial entry point, identify active administrator sessions, and reuse shared service accounts to move laterally through systems while maintaining a legitimate appearance.
This approach ensures their movement blends seamlessly with normal administrative traffic.
Transforming compromised servers
A particularly advanced aspect of Ink Dragon’s operation involves transforming compromised servers into relay nodes.
These systems forward commands and data between different victims, creating a communication mesh that obscures the attack’s true origin.
This technique strengthens the group’s broader command network while making defender detection significantly more difficult, as the traffic appears to be routine cross-organizational activity.
.webp "Chinese Based Ink Dragon Compromises Asia and South America into European Government Networks 3")
The group’s evolving toolkit, particularly the updated FinalDraft backdoor variant, represents a significant technical advancement.
This tool now integrates with Microsoft cloud services, hiding command traffic within ordinary mailbox drafts to appear as everyday use of legitimate services.
The latest version includes controlled timing mechanisms that align with normal business patterns, efficient data transfer capabilities for moving large files quietly, and detailed system profiling to provide operators with comprehensive visibility into each compromised machine.
Notably, Check Point researchers discovered that another threat actor, RudePanda, had simultaneously compromised several identical government networks.
This overlap reveals how a single unpatched vulnerability can become an entry point for multiple advanced threat actors, each operating independently within the same environment.
Understanding this shared attack surface has become critical for cybersecurity professionals tasked with preventing similar incidents.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
