Ink Dragon Targets Governments with ShadowPad, FINALDRAFT

A China-aligned threat group tracked as Ink Dragon (also known as Jewelbug, CL-STA-0049, Earth Alux, and REF7707) is intensifying campaigns against government organizations in Europe while continuing operations in Southeast Asia and South America. Active since at least March 2023, the actor blends strong software engineering with living-off-the-land techniques to stay stealthy and persistent, according to new research from Check Point.

Scope and impact

• Activity is ongoing and has impacted several dozen victims
• Primary targets: government and telecommunications organizations
• Regions affected: Europe (increased focus since July 2025), Asia, Africa, Southeast Asia, South America
• Notable incident: a five-month breach of a Russian IT service provider

Initial access and intrusion methods

• Exploits internet-exposed apps to plant web shells
• Abuses mismanaged or predictable ASP.NET machine keys for ViewState deserialization on IIS/SharePoint
• Weaponizes ToolShell vulnerabilities in SharePoint to establish web shells

Command-and-control and persistence

• Deploys VARGEIT and Cobalt Strike beacons for C2, discovery, lateral movement, and exfiltration
• Installs a custom ShadowPad IIS Listener to convert compromised servers into resilient C2 relays and traffic proxies—across both local and other victim networks
• Creates scheduled tasks and services for persistence; alters host firewalls to allow outbound traffic and expand the ShadowPad relay network

Notable post-exploitation tradecraft

• Uses the IIS machine key to acquire local admin credentials and move laterally via RDP tunnels
• Dumps LSASS and extracts registry hives for privilege escalation
• In one case, leveraged an idle Domain Admin RDP session (NLA with NTLMv2 fallback) to harvest tokens/keys, write to admin shares, and exfiltrate NTDS.dit and registry hives—achieving domain-wide control

Tooling observed

• ShadowPad Loader: decrypts and runs the ShadowPad core in memory
• CDBLoader: uses Microsoft cdb.exe to run shellcode and load encrypted payloads
• LalsDumper: extracts LSASS dumps
• 032Loader: decrypts and executes payloads
• FINALDRAFT (also known as Squidoor): updated variant with higher throughput, stealthier evasion, and staged lateral movement; abuses Outlook and Microsoft Graph API for C2 using a modular command framework where encoded task documents are placed in the victim’s mailbox and fetched by the implant
• NANOREMOTE (Google Drive API-based backdoor) has been documented by others but was not observed by Check Point in these intrusions

Why this campaign stands out

• Ink Dragon blurs the line between compromised host and C2 infrastructure, turning victims into a multi-layered relay mesh
• Each compromised node can route traffic deeper within one network—or across different victims—supporting long-term, multi-organizational access

Possible overlap, not coordination

• A second actor, REF3927 (RudePanda), was detected in several of the same environments
• No operational links identified; both likely used similar initial access vectors

Defender recommendations

• Lock down IIS/SharePoint: rotate/validate ASP.NET machine keys; patch ToolShell and other SharePoint flaws; monitor for ViewState abuse and suspicious IIS modules
• Harden RDP: enforce logoff policies for idle sessions; restrict NTLM and CredSSP fallback; monitor for RDP tunneling behavior
• Detect post-exploitation: alert on LSASS access, registry hive dumps, and cdb.exe misuse; hunt for ShadowPad, Cobalt Strike, and mailbox-to-Graph API C2 patterns
• Egress and segmentation: restrict outbound traffic from servers; monitor for relay-like proxying between internal and external hosts
• Break the chain: treat any local compromise as potential infrastructure for broader campaigns and dismantle the entire relay path, not just the first infected node

Source: The Hacker News