Full Report
Check Point Research tracks a sustained, highly capable espionage cluster, which it refers to as Ink Dragon, and is referenced in other reports as CL-STA-0049, Earth Alux, or REF7707. This cluster is assessed by several vendors to be PRC-aligned. Since at least early 2023, Ink Dragon has repeatedly targeted government, telecom, and public-sector infrastructure, initially…
Analysis Summary
# Threat Actor: Ink Dragon
## Attribution & Identity
* **Primary Identifier:** Ink Dragon (tracked by Check Point Research).
* **Known Aliases:** CL-STA-0049, Earth Alux, REF7707.
* **Attribution:** Assessed by several vendors to be PRC-aligned (People's Republic of China-aligned).
## Activity Summary
* **Timeline:** Active since at least early 2023.
* **Campaigns:** Conducts sustained, highly capable espionage operations. Campaigns are characterized by solid software engineering, disciplined operational playbooks, and a penchant for reusing platform-native tools for stealth.
* **Key Operational Feature:** Tendency to convert compromised environments into components of a larger, distributed relay network by deploying the **ShadowPad IIS Listener Module** across breached servers. This allows traffic to be routed deeper into networks or hopped entirely across different victim networks, blending operational control with strategic reuse of assets.
* **Recent Focus:** Documented high-stakes compromise of a European government office, detailing the full kill chain from initial access to domain dominance.
## Tactics, Techniques & Procedures
* **Initial Access:** Web-centric initial access methods observed.
* **Execution/Persistence:** Uses staged loaders and employs multiple delivery and persistence patterns.
* **Internal Operations:** Features hands-on-keyboard activity, privilege escalation, and credential-harvesting components.
* **Lateral Movement:** Documented aggressive lateral movement culminating in domain dominance.
* **C2/Backdoor:** Utilizes a new variant of the **FinalDraft** backdoor, which functions as a resilient, cloud-native command-and-control platform.
* **Network Infrastructure:** Deploys **ShadowPad IIS Listener Module** on victims to turn them into C2 communication nodes/proxies.
## Targeting
* **Sectors:** Government, telecom, and public-sector infrastructure.
* **Geography:** Initially concentrated on Southeast Asia and South America, with an observed increasing footprint in Europe and other regions.
* **Victims:** A specific example includes a high-stakes compromise of a European government office.
## Tools & Infrastructure
* **Malware families used:** ShadowPad IIS Listener Module, FinalDraft backdoor (new variant), staged loaders.
* **Infrastructure:** Leverages compromised victim environments as a multi-layered, global relay network.
## Implications
Ink Dragon presents a high threat due to its high capability, disciplined playbooks, and stealthy operational methods. The actor's strategy of building a distributed, interconnected relay network post-compromise significantly complicates detection and attribution by allowing operational traffic to hop across entirely separate victim organizations globally.
## Mitigations
* Focus defenses on detecting web-centric initial access vectors.
* Monitor for the deployment of uncommon modules like the ShadowPad IIS Listener on web servers.
* Implement robust detection for privilege escalation and credential harvesting across the enterprise.
* Research and baseline behaviors associated with FinalDraft backdoors.