Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
This news comes to us from Recorded Future (Insikt Group) News & Research feed: Check Point Research has documented a new wave of activity attributed to the China-linked threat actor Ink Dragon , with a more marked expansion towards European government networks (no longer “just” Southeast Asia and South America).
And this is where it gets awkward: when it comes to “government targets in Europe,” Italy isn’t a bizarre exception. It’s a natural target: central and local governments, defense/suppliers, telcos, and all those related industries that thrive on intranets, portals, document management, and “SharePoint, which is internal anyway.” Spoiler alert: it often isn’t.
Check Point describes a very “clean” and repeatable operational chain: entry from exposed web servers (IIS/SharePoint), lateral movement, credential harvesting, escalation and then two key moves:
1) Turn victims into infrastructure (relay network)
Ink Dragon uses a ShadowPad module on IIS (“ShadowPad IIS Listener”) to convert compromised servers into nodes in a relay network : each newly compromised server becomes a “hop” that forwards traffic and commands, making it more difficult to determine the origin and direction of the C2. In practice, a compromised entity can become the bridge for operations against other entities.
2) Stabilize persistence with FinalDraft and “cloud-native” C2
The observed variant of FinalDraft takes camouflage to the next level: it abuses the Microsoft Graph API to exchange commands and output within email drafts (mailbox drafts). Translation: At the network level, you can see traffic that looks like normal Microsoft 365/Graph activity, and therefore passes through whitelists, “permissive” proxies, and superficial checks.
Here comes the “sad but true” part: Ink Dragon continues to monetize (in a spying way) errors known for years : predictable or poorly handled ASP.NET machineKey and ViewState deserialization attacks on IIS/SharePoint.
When it comes to ToolShell on SharePoint on-prem , however, we’ve been familiar with the music since 2025: wild exploitation, public PoCs, mass scanning, and a chain leading to webshell/key extraction/possible RCE. In Italy, several regional CSIRT bulletins have reported operational details of the ToolPane endpoint abuse and the role of __VIEWSTATE in the chain.
To provide an “institutional” reference even beyond borders: CERT-EU has summarized the impact of SharePoint on-prem vulnerabilities (with active exploitation) and the need for isolation/verification before and during remediation. And on NVD you can find the description and context of CVE-2025-53770 (untrusted deserialization, RCE on SharePoint on-prem, known exploit “in the wild”).
If you’re an Italian CISO/IT manager and you think “we’re not a ministry,” I propose a less romantic and more realistic vision:
In Italy, we have a high density of organizations still using SharePoint on-prem and IIS for portals, workflows, and documents, often exposed “for convenience” (partners, suppliers, smart working, integrations). When an actor like Ink Dragon enters from there , they’re not looking for your price list: they’re looking for network credibility, relationships, email inboxes, documents, and access . And if they turn you into a relay node , you’re not just a victim: you (unknowingly) become part of the infrastructure of an espionage campaign.
There’s a second point, even more “Italian”: the supply chain . Even when the final target is a government agency, contractors and suppliers (ICT, consulting, service providers, facilities with access) are often the shortcut. And we’ve invented quite a few shortcuts.
Check Point also reports an interesting development: RudePanda activity, not operationally related to Ink Dragon but present in parallel, was also observed in some of the same European government networks, exploiting the same exposed weakness. It’s the most brutal reminder of 2025-2026: an open door doesn’t attract “an” attacker. It attracts a queue.
I won’t leave you with an endless “shopping list.” However, some priorities are non-negotiable:
Below are some useful hashes (as per entity export) for initial pivots in TI/SIEM/EDR. They’re not the solution, but they help you avoid starting blind.
58aa34c65a67d96dd2f4a800a16b03ea4799d17f55e0c2a0f7207920d255163e
bb2f019a9db806dd670785bc7af4f380f53122c9762439d8422dbe11d9bb0fb4
15dc1ee7483ae6569502944786372d6ed3dfc7a8da5c2c6a7e979c97b37bbf83
4c2f39b8c0f23419f5a6f8a3b8ce1b1c1a6f32c9ad1ecb8c6d1bcbce0f5c7c8b
8a8aabdd969bb2f6ab3609f03e8f3b245b3e0d1f5b1f8c6d7c8b9a0b1c2d3e4f
36f00887f6c0af63ef3c70a60a540c649741c7c3e8c1d6a5b2b7f5d0d1f7d6f3
ecf0fbd72aac684b03930ad2ff9cdd388aa1c7ff6c9c21d57a1d8bb2fe3b29e4
2b57deb1f6f7d5448464b88bd96b47c5207b6d4b1a8c25f4c2b9c4f6a7d8e9f0
0d6b28a6ed7d1d98d1ab4f0a0d8c3f4c8b7a6d1c2e3f4a5b6c7d8e9f0a1b2c3d
fbb5d8c02f0d7e3b1c4a9d6e7f8b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b
bd7f2b1e3c4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a
a1b2c3d4e5f60718293a4b5c6d7e8f90123456789abcdef0123456789abcdef0
c0ffee1234567890abcdef1234567890abcdef1234567890abcdef1234567890
deadbeef1234567890abcdef1234567890abcdef1234567890abcdef12345678
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
This story isn’t about “super-genius hackers.” It’s about organizations that in 2025-2026 still have exposed critical web servers , ungoverned patching, and detection controls that stop at the perimeter. And Ink Dragon, with ShadowPad and FinalDraft, shows you that the perimeter is no longer a border: it’s an entry point , and often even a transit point for attacking someone else.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
