- Ink Dragon campaign violates European governments by exploiting misconfigured IIS and SharePoint servers
- The group uses its FinalDraft backdoor to mix C2 traffic with normal Microsoft cloud activity.
- Dozens of government and telecommunications entities around the world have been transformed into relay nodes for other operations.
Ink Dragon, a well-known Chinese state-sponsored threat actor, has extended its reach to European governments, using misconfigured devices for initial entry and establishing persistence by blending in with regular traffic, experts have warned.
A report from cybersecurity researchers at Check Point Software claims that attackers are using Microsoft IIS and SharePoint servers as relay nodes for future operations.
“This stage is generally characterized by low noise and propagates through infrastructures sharing the same credentials or management models,” the Check Point researchers said.
FinalDraft Updates
For initial access, the group does not abuse zero-day or other vulnerabilities, as this would most likely trigger security solutions and alarms. Instead, they probe servers for weaknesses and misconfigurations, thus going unnoticed.
After finding an account with domain-level access, the group expands to other systems, installs backdoors and other malware, establishes long-term access, and exfiltrates sensitive data.
In its toolbox, Ink Dragon has a backdoor called FinalDraft, which was recently updated to blend in with Microsoft’s mainstream cloud business. This has been said. Its C2 traffic is usually left in the “drafts” folder of an email account. What’s also interesting is that the malware only works during normal business hours, when traffic is heavier and it’s harder to detect any suspicious activity.
Finally, once attackers have secured persistent access to compromised servers, they reuse victims’ infrastructure by installing custom IIS-based modules on Internet-connected systems, turning them into relay points for their malicious operations.
Check Point could not name the victims, for obvious reasons, but it revealed that “several dozen” entities were affected, including government organizations and telecommunications companies in Europe, Asia and Africa.
“While we cannot disclose the specific identity or countries of the affected entities, we observed the actor beginning its relay-based operations in the second half of 2025, followed by a gradual expansion of each relay’s victim coverage over time,” the researchers said.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
