- Ink Dragon campaign violates European governments by exploiting misconfigured IIS and SharePoint servers
- The group uses its FinalDraft backdoor to combine C2 traffic with normal activity in Microsoft’s cloud.
- Dozens of government and telecommunications entities around the world became relay nodes for future operations.
Ink Dragon, a known Chinese state-sponsored threat actor, has extended its reach to European governments, using misconfigured devices for initial entry and establishing persistence by blending in with regular traffic, experts warned.
A report from cybersecurity researchers Check Point Software claims that attackers are using Microsoft IIS and SharePoint servers as relay nodes for future operations.
“This stage is typically characterized by low noise and propagates through infrastructure that shares the same credentials or management patterns,” Check Point researchers said.
Final draft updates
For initial access, the group does not abuse zero-day or other vulnerabilities, as this will most likely trigger security fixes and alarms. Instead, they investigate servers for weaknesses and misconfigurations, managing to go undetected.
After finding an account with domain-level access, the group expands to other systems, installing backdoors and other malware, establishing long-term access, and exfiltrating sensitive data.
In its toolbox, Ink Dragon has a backdoor called FinalDraft, which was recently updated to blend in with Microsoft’s common cloud activity. It was said. Your C2 traffic is typically left in the “drafts” folder of an email account. What’s also interesting is that the malware only works during normal business hours, when traffic is highest and when any suspicious activity is most difficult to detect.
Finally, once attackers gain persistent access to compromised servers, they repurpose victims’ infrastructure by installing custom IIS-based modules on Internet-connected systems, turning them into relay points for their malicious operations.
Check Point was unable to name the victims, for obvious reasons, but did reveal that “several dozen” entities were affected, including government organizations and telecommunications companies in Europe, Asia and Africa.
“While we cannot reveal the specific identities or countries of the affected entities, we note that the actor began broadcast-based operations in the second half of 2025, followed by a gradual expansion in victim coverage of each broadcast over time,” the researchers said.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
