Ink Dragon's Relay Network and Stealthy Offensive Operation

Description

Check Point Research has identified a new wave of attacks by the Chinese threat actor Ink Dragon, targeting government entities in Europe, Southeast Asia, and South America. The actor builds a victim-based relay network using a custom ShadowPad IIS Listener module, turning compromised servers into active nodes within a distributed mesh. Ink Dragon continues to exploit IIS misconfigurations for initial access and is evolving its operations with new TTPs and tools, including a new variant of FinalDraft malware. The group's campaigns combine software engineering, disciplined operational playbooks, and the use of platform-native tools to blend into normal enterprise telemetry, making their intrusions both effective and stealthy.