Ink Dragon's Relay Network and Stealthy Offensive Operation
Essential information
- Published
- 16/12/2025 14:57
- Modified
- 21/12/2025 19:32
- Tags
- 2025-12-16 chinese threat actor espionage finaldraft government targets iis exploitation relay network shadowpad stealthy operations
- Related entities
- 16 observables, 1 intrusion sets (apt), 20 techniques (mitre), 1 others
Description
Check Point Research has identified a new wave of attacks by the Chinese threat actor Ink Dragon, targeting government entities in Europe, Southeast Asia, and South America. The actor builds a victim-based relay network using a custom ShadowPad IIS Listener module, turning compromised servers into active nodes within a distributed mesh. Ink Dragon continues to exploit IIS misconfigurations for initial access and is evolving its operations with new TTPs and tools, including a new variant of FinalDraft malware. The group's campaigns combine software engineering, disciplined operational playbooks, and the use of platform-native tools to blend into normal enterprise telemetry, making their intrusions both effective and stealthy.