{
  "name": "Ink Dragon's Relay Network and Stealthy Offensive Operation",
  "slug": "ink-dragons-relay-network-and-stealthy-offensive-operation",
  "description": "Check Point Research has identified a new wave of attacks by the Chinese threat actor Ink Dragon, targeting government entities in Europe, Southeast Asia, and South America. The actor builds a victim-based relay network using a custom ShadowPad IIS Listener module, turning compromised servers into active nodes within a distributed mesh. Ink Dragon continues to exploit IIS misconfigurations for initial access and is evolving its operations with new TTPs and tools, including a new variant of FinalDraft malware. The group's campaigns combine software engineering, disciplined operational playbooks, and the use of platform-native tools to blend into normal enterprise telemetry, making their intrusions both effective and stealthy.",
  "published": "2025-12-16T13:57:29+00:00",
  "created_at": "2025-12-16T13:57:29+00:00",
  "modified_at": "2025-12-21T18:32:36+00:00",
  "created_at_opencti": "2025-12-16T13:57:29+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-16",
    "chinese threat actor",
    "espionage",
    "finaldraft",
    "government targets",
    "iis exploitation",
    "relay network",
    "shadowpad",
    "stealthy operations"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "e2f6e722c26e19b76396c2502cacf2aaceaaa1486865578c665ebf0065641ffa"
      },
      {
        "id": "",
        "name": "7efe5c1229178c1b48f6750c846575e7f48d17ea817997bd7acba0e5ecf1e577"
      },
      {
        "id": "",
        "name": "a86e72ca58de6d215a59ae233963eaea27fe47ef0c9f43938e27339df4a86732"
      },
      {
        "id": "",
        "name": "2b57deb1f6f7d5448464b88bd96b47c5e2bd6e1c64c1b9214b57c4d35a591279"
      },
      {
        "id": "",
        "name": "2e84ea5cef8a9a8a60c7553b5878a349a037cffeab4c7f40da5d0873ede7ff72"
      },
      {
        "id": "",
        "name": "f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1"
      },
      {
        "id": "",
        "name": "36f00887f6c0af63ef3c70a60a540c64040b13a4209b975e96ce239e65548d4a"
      },
      {
        "id": "",
        "name": "f094ff83d4b7d06bc17b15db7d7dc0e622778b0eda71e8fc9fdf7db83c460426"
      },
      {
        "id": "",
        "name": "f438ca355e6888c4c9cd7287b22cfe5773992ef83f0b16e72fb9ae239d85586c"
      },
      {
        "id": "",
        "name": "866fde351251092fb5532e743459ba80968cd5516cce813c8755467f5e8a47a1"
      },
      {
        "id": "",
        "name": "809ddcbb64d6f2ccc4a8909068da60e6ea8b3ebd9c09dd826def0e188c7a2da2"
      },
      {
        "id": "",
        "name": "ecf0fbd72aac684b03930ad2ff9cdd386e9c13ddf449f27918f337dc8963590e"
      },
      {
        "id": "",
        "name": "b4a53f117722fb4af0a64d30ec8aa4c4c82f456e3d2a5c5111c63ce261f3b547"
      },
      {
        "id": "",
        "name": "d88115113e274071b03a3b4c1da99eaea7b8d94adf833dfd26943af0a6d78b4d"
      },
      {
        "id": "",
        "name": "c305b3b3f9426d024cdd262497a5d196264397bfed445705759d0a793a58fe6e"
      },
      {
        "id": "",
        "name": "188ab2d68f17ecf08a7a4cfc6457c79b0a5117b3277352a7371a525416129114"
      }
    ],
    "intrusion_sets": [
      {
        "id": "f39c7f5a-82be-4a93-8153-433a5f46b66e",
        "name": "Ink Dragon",
        "slug": "ink-dragon"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266",
        "name": "T1134"
      },
      {
        "id": "e6c0ca23-78ee-4b0e-96fa-e80efab3665d",
        "name": "T1003.001"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Government and administrations"
      }
    ]
  },
  "external_refs": [
    "https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation",
    "https://otx.alienvault.com/pulse/694173593290d291f99fc0c7"
  ]
}