Full Report
Misconfigured servers are in, 0-days out Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations.…
Analysis Summary
# Threat Actor: Ink Dragon
## Attribution & Identity
* **Attribution:** Chinese espionage crew.
* **Known Aliases/Associations:** None explicitly mentioned as aliases, but observed stealthily overlapping with the TTPs of **RudePanda** in the same IT environments (though the groups are stated to be unrelated).
## Activity Summary
Chinese espionage crew expanding snooping activities into European government networks, initiating relay-based operations in the second half of 2025. The campaign has impacted "several dozen victims" across government entities and telecommunications organizations. The primary goal appears to be establishing persistent access and co-opting victim infrastructure to create an illicit communication mesh for hiding the origin of future attacks.
## Tactics, Techniques & Procedures
- **Initial Access:** Probing security weaknesses, specifically exploiting **misconfigured Microsoft IIS and SharePoint servers**. (Avoids using 0-days.)
- **Credential Access & Lateral Movement:** Scooping up credentials and using existing accounts to infiltrate targets, blending in with normal network traffic (low noise).
- **Persistence & Access:** Establishing long-term access across high-value systems, installing backdoors and implants for credential storage.
- **Infrastructure Co-option:** Deploying **customized IIS-based modules** on public-facing servers to create relay points (communication mesh) between victims, forwarding commands and data to hide the true origin of attack traffic.
- **Evasion (Updated Malware):** Updating the **FinalDraft backdoor** to mimic common Microsoft cloud activity by hiding command traffic inside mailbox drafts.
- **Operational Security (OpSec):** Newer malware versions check in only during business hours to avoid attention.
## Targeting
* **Sectors:** Government entities and telecommunications organizations.
* **Geography:** Europe (primary focus), Asia, and Africa.
* **Victims:** Several dozen victims; specific identities withheld.
## Tools & Infrastructure
* **Malware Families Used:** FinalDraft backdoor (updated version).
* **Infrastructure (C2, Domains, IPs):** Compromised victims' infrastructure is co-opted to create illicit relay nodes/communication mesh.
## Implications
Ink Dragon is prioritizing low-and-slow intrusion methods by exploiting configuration errors rather than expensive 0-days, which aids in evading detection. The use of internal network relays significantly complicates attribution and tracking, as traffic appears to originate from trusted, internal network segments. The expansion into European government networks signals a high-priority intelligence gathering objective.
## Mitigations
- Harden and audit configurations for public-facing services, especially Microsoft IIS and SharePoint, to prevent credential harvesting and initial compromise.
- Monitor network traffic for signs of encrypted or unusual command-and-control activity masquerading as legitimate cloud services (e.g., hiding C2 within mailbox drafts).
- Implement strict least privilege access controls, especially for domain-level accounts, given the actor's reliance on co-opted credentials.