Check Point Research has spotted and analyzed a new wave of cyber-espionage activity attributed to the Chinese threat actor known as Ink Dragon, a cluster overlapping with groups publicly tracked as Earth Alux, Jewelbug, REF7707, and CL-STA-0049.
The group has previously been targeting Southeast Asia and South America, however, the recent campaign shows an increasing focus on Europe.
Ink Dragon typically tries to convert compromised environments into part of a distributed command-and-control (C2) relay network. By deploying a custom ShadowPad IIS Listener module, the group converts breached servers into active nodes that receive, forward, and proxy malicious traffic. This mesh-like infrastructure allows attackers to route commands “not only deeper inside a single organization’s network, but also across different victim networks entirely.”
The attack starts with the attackers gaining initial access via ViewState deserialization or ToolShell-based exploits, then deploy ShadowPad on the compromised server. They collect IIS worker credentials and establish an RDP proxy to move laterally, using RDP and ShadowPad’s built-in capabilities along with reused credentials. The threat actor then obtains access to a domain admin account and from there, deploys FinalDraft on strategic machines and install a ShadowPad IIS listener on public-facing servers, enabling new victims to connect to the attackers’ infrastructure as the campaign continues.
In observed cases, the threat actor commonly exploited ASP.NET ViewState deserialization vulnerabilities due to predictable or publicly disclosed machine keys. By forging the __VIEWSTATE parameter, attackers can trigger unsafe deserialization on vulnerable IIS and SharePoint servers, leading to remote code execution.
In parallel, the actor has also abused the ToolShell exploit chain against on-premises Microsoft SharePoint. ToolShell combines authentication bypass and unsafe deserialization vulnerabilities, including CVE-2025-49706 / CVE-2025-53771 and CVE-2025-49704 / CVE-2025-53770, to achieve unauthenticated RCE and web shell deployment.
Once inside a network, Ink Dragon harvests the IIS application/service credentials and configuration.
“By obtaining the IIS machineKey/DecryptionKey or otherwise recovering the site’s cryptographic secrets, the attacker can decrypt locally stored configuration blobs and credentials that the site or its worker processes store. In practice, this frequently yields the IIS worker/app-pool account password or other local secrets that carry elevated rights on the host and often across other IIS servers that reuse the same service account or credential material,” Check Point explains.
After escalating privileges to domain admin, the group deploys an updated FinalDraft malware variant, alongside ShadowPad implants for persistence. To gain persistence, the threat actor created scheduled tasks set to run under SYSTEM and pointing to staged loader hosts such as conhost.exe, and, in some cases, installed services to launch their loaders as persistent system services.
“Ink Dragon does not operate with a single backdoor or a monolithic framework; instead, the intrusions feature a sequence of purpose-built components that activate at different stages of the operation,” Check Point noted in the report.