A sprawling and highly sophisticated cyberespionage campaign attributed to a China-linked threat actor has successfully compromised dozens of high-value government and telecommunications organizations across Europe, Asia, and Africa, operating with a level of stealth that redefines the modern threat landscape. The group, known as “Ink Dragon” and also associated with clusters tracked as Earth Alux and Jewelbug, has demonstrated a clear preference for clandestine, long-term intelligence gathering over high-profile, disruptive attacks. By leveraging a “low-and-slow” infiltration strategy, the attackers systematically exploit known vulnerabilities in public-facing servers, allowing them to gain an initial foothold without triggering alarms typically associated with zero-day exploits. Once inside a network, Ink Dragon deploys a custom, versatile toolkit designed for sustained persistence, lateral movement, and data exfiltration, all while mimicking legitimate network activity to remain undetected for extended periods, highlighting a significant evolution in state-sponsored espionage tactics.
The Anatomy of a Stealthy Intrusion
Exploiting Known Vulnerabilities for Initial Access
The initial entry point for Ink Dragon’s campaign relies not on novel, undiscovered exploits but on a well-documented vulnerability in misconfigured public-facing servers. The group specifically targets a flaw related to ASP.NET ViewState deserialization, which can be present on unpatched Microsoft Internet Information Services (IIS) and SharePoint servers. This deliberate choice of attack vector is a key element of their clandestine methodology. Security systems are often calibrated to detect the aggressive scanning and exploitation associated with zero-day attacks, but they can be less effective at identifying the subtle probing of known misconfigurations. By focusing on this overlooked entry point, Ink Dragon bypasses advanced threat detection and gains a persistent foothold. Following the initial breach, the actors move laterally through the compromised network by harvesting and reusing credentials, a technique that further blends their activities with normal administrative traffic and makes their movements exceptionally difficult to trace.
A Sophisticated and Tailored Malware Arsenal
Once established within a target network, Ink Dragon deploys a formidable suite of custom malware designed for long-term espionage and operational flexibility. Central to this toolkit is ShadowPad, a notorious backdoor that the group has equipped with a custom IIS Listener Module. This module transforms compromised servers into covert command-and-control (C2) nodes, enabling the attackers to issue commands and receive data. Another critical component is the FinalDraft Remote Access Trojan (RAT), a modular implant that exhibits remarkable ingenuity in its C2 communications. FinalDraft leverages the Microsoft Graph API, hiding its communications by saving command data within the drafts folder of a compromised mailbox. This tactic allows its traffic to blend seamlessly with legitimate Microsoft cloud services, evading network-based detection. The group also utilizes a variety of specialized loaders and dumpers, including CDBLoader for memory-resident malware execution, LalsDumper to steal credentials directly from the LSASS process memory, and 032Loader, which delivers payloads tailored to the specific compromised host.
Building a Covert Espionage Network
Co-opting Victim Infrastructure for Clandestine Operations
Perhaps the most innovative and concerning strategy employed by Ink Dragon is the co-option of victim infrastructure to construct a distributed, illicit network of relay nodes. Instead of communicating directly with a central C2 server, which could be identified and blocked, the attackers install their custom modules on the compromised IIS servers of various victims. This approach effectively creates a communication mesh between different compromised organizations, allowing the threat actor to forward commands and exfiltrate data through a chain of legitimate, trusted servers. This intricate relay system serves multiple strategic purposes. First, it significantly obfuscates the true origin of the attack traffic, making attribution a monumental challenge for incident responders. Second, by routing their activities through multiple victim networks, the attackers ensure that even if one node is discovered and cleaned, the broader C2 network remains operational, showcasing a high degree of operational resilience and foresight.
The Evolving Landscape of State-Sponsored Threats
The Ink Dragon campaign serves as a powerful illustration of the consensus viewpoint that state-sponsored threats are increasingly prioritizing operational longevity and stealth over immediate, high-impact disruption. The group’s meticulous planning, patient execution, and sophisticated evasion techniques underscore a strategic shift toward sustained intelligence-gathering operations against critical government and communications infrastructure. This trend is further complicated by the fact that high-value networks are often targeted by multiple adversaries simultaneously. During the investigation of this campaign, evidence of another distinct threat actor, known as “RudePanda,” was discovered operating within the same compromised environments. This overlap highlights the complex and layered nature of modern cyber defense, where security teams must contend with multiple, independent threat actors who may be unaware of each other’s presence, each employing unique tools and objectives.
A New Paradigm in Cyber Defense
The intricate web of compromised servers and covert communication channels established by Ink Dragon revealed a critical need for a paradigm shift in organizational cyber defense strategies. The campaign underscored that focusing solely on preventing initial breaches with perimeter-based security was no longer sufficient. It became evident that threat actors could and would find ways to bypass even robust defenses by exploiting overlooked misconfigurations in public-facing applications. The incident highlighted the necessity for continuous, proactive threat hunting within networks to identify deeply embedded adversaries who have already established a foothold. Moreover, the group’s success in leveraging common enterprise technologies like IIS and the Microsoft Graph API for malicious purposes demonstrated that security efforts had to extend beyond traditional malware detection to include rigorous monitoring of legitimate tools and services for anomalous behavior, fundamentally reshaping the approach to securing critical infrastructure against persistent, state-sponsored threats.
