Full Report
The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. Check Point Research is tracking the cluster under the name Ink Dragon. It's also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The
Analysis Summary
# Threat Actor: Ink Dragon (Primary Tracking Name)
## Attribution & Identity
* **Primary Identity:** Jewelbug
* **Tracking Name (Check Point Research):** Ink Dragon
* **Other Aliases/References:** CL-STA-0049, Earth Alux, REF7707
* **Attribution:** China-aligned hacking group.
* **Activity Start:** Active since at least March 2023.
## Activity Summary
Jewelbug/Ink Dragon has been observed combining solid software engineering, disciplined operational playbooks, and reuse of platform-native tools for effective and stealthy intrusions. Since July 2025, the actor has shown an **increasing focus on government targets in Europe**, while simultaneously maintaining operations against entities in Southeast Asia and South America. The group has impacted several dozen victims, including government entities and telecommunications organizations across Europe, Asia, and Africa. They were noted for a five-month-long intrusion targeting a Russian IT service provider.
## Tactics, Techniques & Procedures
* **Initial Access:** Leveraging vulnerable services in internet-exposed web applications to drop web shells.
* **Exploitation:** Weaponizing ToolShell SharePoint flaws to deploy web shells.
* **Exploitation (IIS/SharePoint):** Relying on predictable or mismanaged **ASP.NET machine key values** to carry out **ViewState deserialization attacks** against vulnerable IIS and SharePoint servers.
* **C2 Infrastructure Development:** Installing a custom **ShadowPad IIS Listener module** on compromised servers to proxy commands and traffic, enhancing resilience and using breached assets as relay points across different victim networks.
* **Lateral Movement:** Using obtained local administrative credentials (via IIS machine key exploitation) to move laterally over an **RDP tunnel**.
* **Defense Evasion/Persistence:** Use of platform-native tools to blend into normal enterprise telemetry.
* **Malware Usage (Observed/Attributed):** FINALDRAFT (aka Squidoor) (Windows/Linux backdoor), VARGEIT, Cobalt Strike beacons.
* **Malware Usage (Noted but not observed in recent CPR investigations):** NANOREMOTE (uses Google Drive API for C2 communication).
## Targeting
* **Sectors:** Government entities, Telecommunications organizations, IT service providers.
* **Geography:** Europe (increasing focus since July 2025), Southeast Asia, South America, Africa.
* **Victims:** Government entities, Telecommunications organizations, a Russian IT service provider.
## Tools & Infrastructure
* **Malware Families Used:** ShadowPad (via custom IIS Listener module), FINALDRAFT (Squidoor), VARGEIT, Cobalt Strike, NANOREMOTE (noted, selectively deployed).
* **Infrastructure:** Custom **ShadowPad IIS Listener Module** deployed on compromised IIS servers to establish resilient C2 infrastructure, acting as proxy hops.
## Implications
Ink Dragon represents a sophisticated, state-aligned threat capable of maintaining long-term stealthy intrusions ("effective and stealthy"). Their technique of turning compromised servers into proxy nodes for their C2 infrastructure provides significant operational resilience and allows them to chain compromises across multiple victim networks globally. The recent pivot towards European governments starting mid-2025 suggests an escalation of strategic espionage goals.
## Mitigations
* Strict patching, especially regarding vulnerable internet-exposed web applications and SharePoint instances.
* Audit and secure ASP.NET configuration, particularly machine key values, to prevent ViewState deserialization attacks.
* Monitor for the deployment of web shells and unusual activity originating from IIS/SharePoint servers.
* Monitor for RDP tunnel establishment originating from web servers potentially indicating lateral movement using compromised local IIS credentials.
* Employ robust network segmentation to limit the utility of C2 infrastructure created from compromised assets.