Key Takeaways
- The threat actor known as Jewelbug, also referred to as Ink Dragon, has been increasingly targeting government entities in Europe since July 2025.
- The China-aligned hacking group has been active since at least March 2023 and has also attacked entities in Southeast Asia and South America.
- Ink Dragon’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry.
- The threat actor has been attributed to several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.
- Ink Dragon’s attack chains have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads.
Introduction to Ink Dragon
The threat actor known as Jewelbug, also referred to as Ink Dragon, has been increasingly focusing on government targets in Europe since July 2025. Check Point Research is tracking the cluster under the name Ink Dragon, which is also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023. According to Eli Smadja, group manager of Products R&D at Check Point Software, the activity is still ongoing, and the campaign has "impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa."
Ink Dragon’s Attack Methods
Ink Dragon’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry. The threat actor’s attack chains have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration. Another notable backdoor in the threat actor’s malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint.
Ink Dragon’s Use of Backdoors and Malware
Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad IIS Listener module to turn these compromised servers into part of its C2 infrastructure and enable them to proxy commands and traffic, improving resilience in the process. The listener module is also equipped to run different commands on the IIS machine, providing attackers with greater control over the system to conduct reconnaissance and stage payloads. Additionally, Ink Dragon has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers.
Ink Dragon’s Lateral Movement and Persistence
Ink Dragon has been found to use various techniques to establish persistence and move laterally within a compromised network. These include using the IIS machine key to obtain a local administrative credential and leveraging it for lateral movement over an RDP tunnel, creating scheduled tasks and installing services to establish persistence, dumping LSASS dumps and extracting registry hives to achieve privilege escalation, and modifying host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network. In one instance, the actor located an idle RDP session belonging to a Domain Administrator that had authenticated via Network Level Authentication (CredSSP) using NTLMv2 fallback, and was able to obtain SYSTEM-level access to the host and extract the token and NTLM verifier in memory.
Ink Dragon’s Malware and Tools
Ink Dragon’s intrusions have been found to rely on a number of components rather than a single backdoor or a monolithic framework to establish long-term persistence. These include ShadowPad Loader, which is used to decrypts and runs the ShadowPad core module in memory, CDBLoader, which uses Microsoft Console Debugger ("cdb.exe") to run shellcode and load encrypted payloads, LalsDumper, which extracts an LSASS dump, 032Loader, which is used to decrypt and execute payloads, and FINALDRAFT, an updated version of the known remote administration tool that abuses Outlook and the Microsoft Graph API for C2. The cluster has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques that enable stealthy lateral movement and multi-stage malware deployment across compromised networks.
Conclusion and Recommendations
Ink Dragon presents a threat model in which the boundary between ‘compromised host’ and ‘command infrastructure’ no longer exists. Each foothold becomes a node in a larger, operator-controlled network – a living mesh that grows stronger with every additional victim. Defenders must therefore view intrusions not only as local breaches but as potential links in an external, attacker-managed ecosystem, where shutting down a single node is insufficient unless the entire relay chain is identified and dismantled. Ink Dragon’s relay-centric architecture is among the more mature uses of ShadowPad observed to date, and serves as a blueprint for long-term, multi-organizational access built on the victims themselves. As such, it is essential for organizations to be aware of the tactics, techniques, and procedures (TTPs) used by Ink Dragon and to take proactive measures to prevent and detect these types of attacks.