China’s Ink Dragon hides out in European government networks

Steven

China’s Ink Dragon hides out in European government networks

Summary

Check Point Research has revealed that the China-linked espionage group known as Ink Dragon has been using compromised, misconfigured servers to create relay nodes inside government and telecommunications networks across Europe, Asia and Africa. Rather than relying on zero-day exploits, the group exploits common misconfigurations (notably Microsoft IIS and SharePoint) and stolen credentials to move quietly, establish persistence and co-opt victim infrastructure as a communications mesh.

The attackers have upgraded their FinalDraft backdoor to blend its command traffic with normal Microsoft cloud activity (hiding inside mailbox drafts) and to check in during business hours. Researchers also observed unrelated China-linked group RudePanda quietly in some of the same networks, and Amazon has warned of similar relay-node campaigns attributed to Russia’s GRU on cloud-hosted systems.

Key Points

  • Ink Dragon has compromised “several dozen” victims including government and telecom organisations across multiple continents.
  • Attackers favour exploiting misconfigured Microsoft IIS and SharePoint servers and stealing credentials rather than using zero-day exploits.
  • Compromised servers are converted into relay nodes (IIS modules) that forward commands and data, obscuring the true origin of traffic.
  • The FinalDraft backdoor was updated to hide command traffic inside mailbox drafts, operate during business hours and move large files with low noise.
  • RudePanda — a separate China-linked crew — was found in some of the same networks, abusing the same vulnerability types.
  • The campaign reflects a wider trend of state-backed actors using misconfigurations and credential theft for long-term access rather than flashy zero-day attacks.
  • Amazon has reported analogous relay-node activity linked to Russia’s GRU targeting cloud-hosted misconfigurations since at least 2021.

Why should I read this?

Short version: if you run or protect public-facing servers, this matters. Ink Dragon is playing dirty but quietly — exploiting sloppy configs and reused credentials to turn your kit into covert infrastructure. It’s the kind of nastiness that slips past noisy defences, so give it five minutes of your attention now rather than an all-nighter later.

Author style

Punchy. This is a clear warning: the detail matters. Read the technical bits if you’re responsible for infra or incident response — these tactics are low-noise but high-impact, and the changes to FinalDraft show active refinement by the threat actor.

Context and Relevance

The report highlights a broader shift in state-aligned cyber operations: prioritising stealth, persistence and abuse of misconfigurations over noisy zero-day campaigns. For public sector, telecom and cloud operators, it underlines the urgency of basic hygiene — patching, hardening IIS/SharePoint, enforcing MFA, and monitoring for unusual internal relays or mailbox-draft abuse. The overlap with other groups (RudePanda, GRU-linked activity) shows misconfigurations are a shared and ongoing risk vector across geopolitical adversaries.

Source

Source: https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/