Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
It was only a matter of time. Governments around the world have now put their security systems on high alert. Indeed, a large-scale espionage operation conducted by a group of Chinese hackers known as Ink Dragon has recently been discovered.
The goal? To transform hacked government servers into a distributed command-and-control network. In short, to use the victims as part of their command-and-control infrastructure. A modus operandi that has left security experts speechless.
Ink Dragon has been active since early 2023, targeting government, telecommunications, and public sector organizations in Southeast Asia and South America. Even more disturbingly, it has increased its activity against government facilities in Europe. A high level of engineering sophistication and the use of legitimate system components have made these attacks difficult to detect. Uncovering this operation was like finding a needle in a haystack. But, as the saying goes, “a leopard can’t change its spots.” And Ink Dragon continues to amaze.
Check Point Research uncovered this large-scale espionage operation that effectively used the victims themselves as part of its command and control infrastructure.
Ink Dragon, also known as Earth Alux, Jewelbug, REF7707, and CL-STA-0049, has been active since at least early 2023. The group initially focused on government, telecommunications, and public organizations in Southeast Asia and South America, but in recent months it has significantly increased its activity against government facilities in Europe.
The group’s campaigns are characterized by a high level of engineering sophistication, meticulous operational discipline, and the extensive use of legitimate system components, allowing attacks to remain undetected for extended periods.
A key feature of Ink Dragon is its approach, which involves integrating compromised servers into a global distributed relay network, rather than simply using them for espionage purposes. To achieve this, attackers implement a specialized IIS module, ShadowPad Listener , which integrates into the web server and silently intercepts HTTP(S) traffic. Each infected server becomes a node capable of receiving commands, forwarding them to other victims, and managing connections via proxies, thus expanding the command and control infrastructure without the need for dedicated C2 servers.
Initial penetration typically occurs through well-known but still widespread IIS and SharePoint misconfigurations . Ink Dragon actively exploits ASP.NET ViewState deserialization vulnerabilities using predictable or leaked machineKey values , allowing arbitrary code execution. Several attacks have also exploited a number of ToolShell vulnerabilities in on-premises Microsoft SharePoint installations, allowing unauthenticated remote code execution and web shell installation. In the summer of 2025, the group conducted mass scans of vulnerable SharePoint servers , indicating early access to the exploits.
Within the organization’s infrastructure, IIS configurations, and worker processes. This allows Ink Dragon to quickly transition from executing code within a web process to gaining full control of the server and then authenticating on neighboring hosts. They make extensive use of RDP tunnels and built-in ShadowPad capabilities for movement, disguising their activity as legitimate administrative sessions.
System persistence is achieved by creating scheduled tasks and installing services with SYSTEM privileges. Executable files masquerade as Windows system components, such as conhost.exe, and often carry valid digital signatures from trusted vendors, reducing the likelihood of detection. To escalate privileges, Ink Dragon combines the exploitation of local vulnerabilities, including techniques from the Potato family, with aggressive credential harvesting. The attacks use proprietary tools to dump LSASS, extract NTLM hashes and Kerberos artifacts, and actively search for “suspended” administrative RDP sessions to extract domain administrator tokens.
Ink Dragon’s victims primarily target government organizations. Recent months have seen an increase in attacks against European entities, with hacked servers in Europe used for operations against targets in Africa and Southeast Asia. In several cases, another Chinese group, RudePanda, has been detected operating on the same systems. They used their own IIS modules, web shells, and even downloaded a kernel rootkit, but researchers have found no direct coordination between the groups.
According to Check Point Research, Ink Dragon represents a mature cyberespionage model in which the boundary between “victim” and “control infrastructure” virtually disappears. Each new compromised server strengthens the overall network, increasing its survivability and stealth. Under these conditions, protecting individual nodes becomes insufficient: countering such operations requires identifying and disrupting the entire relay chain, otherwise the compromised systems will continue to serve the attackers for a long time.
What did we learn from this article? First, that there is a hacker group called Ink Dragon that focuses primarily on attacking government organizations. An increase in attacks on European entities has been observed, with hacked servers in Europe being used for operations against targets in Africa and Southeast Asia. The article reveals that there is no direct collaboration between Ink Dragon and another hacker group, RudePanda, but similar activity has been detected on some systems.
To avoid these problems, several aspects must be considered. First, protecting individual nodes is no longer sufficient. In fact, the entire relay chain must be identified and disrupted. This prevents compromised systems from being used by attackers for a long time. Furthermore, it’s important to monitor the activities of hacker groups and monitor their moves to prevent future attacks. Overall, cybersecurity is a very important issue and must be handled with care.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
