Executive Summary
  • Ink Dragon, a Chinese espionage group, has expanded from Asia and South America into European government networks.
  • The group turns compromised servers into relay nodes, using victims to route commands and support operations in other environments.
  • Updated tooling, including a new FinalDraft variant, allows the attackers to blend into Microsoft cloud activity and maintain long term access.
  • Multiple threat actors, including RudePanda, exploited the same public facing weakness, showing how a single flaw can draw in several advanced groups.
  • Check Point Research continues to track Ink Dragon’s activity and provide intelligence to help organizations detect and disrupt its evolving tactics.
Introduction

Ink Dragon is a long running espionage group that several security vendors allege to be a China-linked threat actor, based on behavioral and infrastructure indicators. Its activity has grown from operations in Southeast Asia and South America to a rising number of intrusions in European government networks.

Check Point Research has tracked this expansion through a series of quiet but disciplined campaigns, many of which initially appeared unremarkable until deeper investigation exposed a consistent pattern of stealthy escalation. Ink Dragon mixes well-built tools with techniques that look like standard enterprise activity, helping the group stay hidden for extended durations while quietly shaping each environment to its advantage.

A recent investigation inside a European government office shows this approach in practice. The intrusion revealed not only how Ink Dragon turns compromised servers into relay points for wider operations, but also how the attackers mapped administrative behavior, leveraged dormant sessions. and prepared the network for long term use. Their evolving toolset, including a new FinalDraft variant, played a central role in this methodical campaign model.

How the Attack Unfolds

Ink Dragon begins by probing public facing websites for weaknesses. Many of the intrusions we investigated began with simple configuration issues in servers, such as Microsoft’s IIS web server and SharePoint, that allowed attackers to plant code on the server with minimal visibility. Once inside, they settle in quickly and prepare for the next phase.

Moving Inside the Network

From the initial server, the attackers focus on gaining the access they need to move quietly through the environment. They leverage passwords and service accounts already in use, helping them blend in with normal administrative activity.

Steps include:

  • Collecting local credentials from the compromised server
  • Identifying active administrator sessions
  • Reusing shared or replicated service accounts to reach nearby systems
  • Using Remote Desktop to move laterally in a way that looks legitimate

This stage is typically characterized by low noise and spreads through infrastructure that shares the same credentials or management patterns.

Taking Control

The operation changes once the attackers reach an account with domain level rights. At that point, they can map the environment in detail, control policy settings, and deploy long-term access tools across high-value systems.

Ink Dragon typically:

  • Installs a persistent backdoor
  • Positions implants on systems that store credentials or sensitive data
  • Prepares new paths for remote access that do not rely on the original entry point
Turning Victims into Infrastructure

One of Ink Dragon’s defining traits is how they use compromised organizations to support operations elsewhere. The group deploys a customized IIS based module that turns public facing servers into quiet relay points. These servers forward commands and data between different victims, creating a communication mesh that hides the true origin of the attack traffic.

In practice this means:

  • A server breached in one country may forward traffic for an operation in another
  • Each new compromise strengthens the group’s broader command network
  • Defenders see traffic that looks like normal cross organization activity, making detection harder
A Methodical Pattern

Across incidents, the same story repeats. A small web facing issue becomes the first step. A series of quiet pivots leads to domain level control. The environment is then repurposed as part of a larger network that powers operations against additional targets. This measured approach shows how Ink Dragon combines discipline, consistency, and evolving tools to expand its reach over time.

New and Evolving Tools

Ink Dragon’s toolset continues to mature. The group’s updated FinalDraft backdoor, a long used remote access tool favored by multiple espionage groups, is built for long term access and is now optimized to blend directly into common Microsoft cloud activity. Instead of reaching out to suspicious servers, it hides its command traffic inside ordinary mailbox drafts, which makes the communication look like everyday use of Microsoft services.

The latest version also introduces several upgrades that improve how the attackers operate:

  • Controlled timing that lets the malware check in during specific hours, matching normal business patterns.
  • Efficient data transfer that moves large files quietly in the background.
  • Detailed system profiling that gives operators a clear picture of each compromised machine.

These refinements show a threat actor focused on stealth, stability, and cloud aware operations. Ink Dragon continues to evolve its tools in ways that make detection harder and long term campaigns easier to sustain.

Overlap with RudePanda Activity

Our investigation revealed something unusual. Alongside Ink Dragon, a second threat actor known as RudePanda had quietly entered several of the same government networks. The two groups are unrelated, yet both walked through the same exposed server vulnerability and ended up operating in the same environments at the same time.

RudePanda followed its standard playbook, using lightweight web tools and subtle IIS changes to stay hidden and maintain access. A few leftover artifacts showed it had also deployed components designed to conceal activity and support remote control.

This overlap does not suggest cooperation. However, it shows how a single unpatched weakness can become an open door for multiple advanced actors, each running its own campaign inside the same organization.

Conclusion

Ink Dragon’s recent activity shows a shift toward using compromised servers as part of a broader communication network. Instead of relying on fixed command infrastructure, the group repurposes victim environments to relay traffic, which helps them stay resilient and blend into normal web activity.

This model gives the attackers flexible paths for command and control, natural cover within everyday HTTP traffic, and long term value from each compromised server. Their broader toolkit, including FinalDraft and other long term access components, supports this approach by providing stable access and low visibility operations.

For cyber security professionals, this means intrusions cannot be viewed in isolation. A compromised system may already be serving as a communication link for activity elsewhere. Finding and removing the full relay chain is essential to fully evict the actor from the environment.

View the full report here.

You may also like