China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware
The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.
Check Point Research is tracking the cluster under the name Ink Dragon. It’s also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023.
“The actor’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry,” the cybersecurity company said in a technical breakdown published Tuesday. “This mix makes their intrusions both effective and stealthy.”
Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.”
Details of the threat group first emerged in February 2025 when Elastic Security Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor called FINALDRAFT (aka Squidoor) that’s capable of infecting both Windows and Linux systems. In recent months, Ink Dragon has also been attributed a five-month-long intrusion targeting a Russian IT service provider.
Attack chains mounted by the adversary have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration.
Another notable backdoor in the threat actor’s malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Check Point said it did not encounter the malware in the intrusions and investigations it observed.
“It is possible that the actor selectively deploys tools from a broader toolkit, depending on the victim’s environment, operational needs, and the desire to blend in with legitimate traffic,” Smadja said.
Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad IIS Listener module to turn these compromised servers into part of its C2 infrastructure and enable them to proxy commands and traffic, improving resilience in the process.
“This design allows attackers to route traffic not only deeper inside a single organization’s network, but also across different victim networks entirely,” Check Point said. “As a result, one compromise can quietly become another hop in a global, multi-layered infrastructure supporting ongoing campaigns elsewhere, blending operational control with strategic reuse of previously breached assets.”
The listener module is also equipped to run different commands on the IIS machine, providing attackers with greater control over the system to conduct reconnaissance and stage payloads.
In addition to exploiting publicly disclosed machine keys to achieve ASP.NET ViewState deserialization, the threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Other steps carried out by Ink Dragon are listed below –
- Use the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel
- Create scheduled tasks and install services to establish persistence
- Dump LSASS dumps and extract registry hives to achieve privilege escalation
- Modify host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network
“In at least one instance, the actor located an idle RDP session belonging to a Domain Administrator that had authenticated via Network Level Authentication (CredSSP) using NTLMv2 fallback. Since the session remained disconnected but not logged off, it is highly likely that LSASS retained the associated logon token and NTLM verifier in memory,” Check Point said.
“Ink Dragon obtained SYSTEM-level access to the host, extracted the token (and possibly the NTLM key material), and reused it to perform authenticated SMB operations. Through these actions, they were able to write to administrative shares and exfiltrate NTDS.dit and registry hives, marking the point at which they achieved domain-wide privilege escalation and control.”
The intrusions have been found to rely on a number of components rather than a single backdoor or a monolithic framework to establish long-term persistence. These include –
- ShadowPad Loader, which is used to decrypts and runs the ShadowPad core module in memory
- CDBLoader, which uses Microsoft Console Debugger (“cdb.exe”) to run shellcode and load encrypted payloads
- LalsDumper, which extracts an LSASS dump
- 032Loader, which is used to decrypt and execute payloads
- FINALDRAFT, an updated version of the known remote administration tool that abuses Outlook and the Microsoft Graph API for C2
“The cluster has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques that enable stealthy lateral movement and multi-stage malware deployment across compromised networks,” Check Point said.
“FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim’s mailbox, and the implant pulls, decrypts, and executes them.”
The cybersecurity company also pointed out that it detected evidence of a second threat actor known as REF3927 (aka RudePanda) on “several” of the same victim environments breached by Ink Dragon. That said, there are no indications that the two clusters are operationally linked. It’s believed that both intrusion sets exploited the same initial access methods to obtain footholds.
“Ink Dragon presents a threat model in which the boundary between ‘compromised host’ and ‘command infrastructure’ no longer exists,” Check Point concluded. “Each foothold becomes a node in a larger, operator-controlled network – a living mesh that grows stronger with every additional victim.”
“Defenders must therefore view intrusions not only as local breaches but as potential links in an external, attacker-managed ecosystem, where shutting down a single node is insufficient unless the entire relay chain is identified and dismantled. Ink Dragon’s relay-centric architecture is among the more mature uses of ShadowPad observed to date. A blueprint for long-term, multi-organizational access built on the victims themselves.”
About Author
