- Ink Dragon campaign hacks European governments by exploiting misconfigured IIS and SharePoint servers
- The group uses its FinalDraft backdoor to mix C2 traffic with normal Microsoft cloud activity
- Dozens of government and telecommunications entities worldwide were converted into relay hubs for further operations
Ink Dragon, a known Chinese state-sponsored threat actor, has extended its reach to European governments by using misconfigured devices for initial access and establishing persistence by interfering with regular traffic, experts have warned.
A report by cyber security researchers Check Point Software claims that the attackers are using Microsoft IIS and SharePoint servers as relay nodes for future operations.
“This phase is typically characterized by low noise and propagates through infrastructure that shares the same credentials or management patterns,” Check Point’s researchers said.
FinalDraft updates
For initial access, the group does not exploit zero-day or other vulnerabilities, as this will most likely trigger security fixes and alerts. Instead, they probe the servers for weaknesses and misconfigurations and successfully fly under the radar.
After finding an account with domain-level access, the group expands to other systems, installs backdoors and other malware, establishes long-term access, and exfiltrates sensitive data.
In their toolbox, Ink Dragon has a backdoor called FinalDraft, which was recently updated to interfere with regular Microsoft cloud activity. It was said. Its C2 traffic is usually left in the “drafts” folder of an email account. What is also interesting is that the malware only works during normal working hours, when traffic is greater and when it is more difficult to detect suspicious activity.
Finally, once the attackers have secured persistent access to compromised servers, they reuse the victims’ infrastructure by installing custom IIS-based modules on Internet-facing systems that make them relay points for their malicious operations.
Check Point could not name the victims for obvious reasons, but it revealed that “several dozens” of entities were affected, including government organizations and telecommunications companies in Europe, Asia and Africa.
“Although we cannot reveal the identity or specific countries of the affected units, we observed that the actor began relay-based operations in the second half of 2025, followed by a gradual expansion of casualty coverage from each relay over time,” the researchers said.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
