The threat group identified as Ink Dragon or Jewelbug has shifted its primary focus toward European government targets as of mid-2025, broadening a scope that previously centered on South America and Southeast Asia. This China-aligned collective has been operational for over two years, utilizing a disciplined approach that blends professional software engineering with operational tactics designed to mimic legitimate network activity. By reusing platform-native tools and adhering to strict playbooks, the group successfully bypasses standard security telemetry, making their presence difficult for many organizations to detect until long after an initial breach has occurred.

Current investigations reveal that the campaign remains active and has successfully compromised dozens of organizations across three continents, specifically hitting government bodies and the telecommunications sector. The group’s methodology typically begins by exploiting vulnerabilities in internet-facing web applications to deploy web shells. Once internal access is established, they introduce a variety of payloads, including Cobalt Strike beacons and specialized backdoors like FINALDRAFT, which is capable of infecting both Windows and Linux operating systems. These tools allow the group to move laterally through a network and exfiltrate sensitive data while maintaining a persistent foothold.

One of the more unique aspects of the group’s arsenal is the NANOREMOTE backdoor, which leverages the Google Drive API to facilitate communication between the compromised host and the command-and-control server. By using a legitimate cloud service for data transfer, the attackers can effectively mask their malicious traffic as routine user activity. Security researchers believe the group maintains a broad toolkit and selectively deploys specific malware based on the unique security environment of each victim, prioritizing stealth and the ability to blend in with normal traffic patterns over a one-size-fits-all approach.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

A core strategy for Ink Dragon involves the exploitation of mismanaged ASP.NET machine keys to execute ViewState deserialization attacks on IIS and SharePoint servers. After a successful exploit, they often install a custom ShadowPad IIS Listener module. This module essentially turns the compromised server into a proxy for the group’s global infrastructure. This sophisticated setup allows the attackers to route malicious traffic through multiple victim networks, using one compromised organization as a jumping-off point to attack another, which obscures the ultimate origin of the threat and increases the resilience of their command-and-control network.

In addition to these specialized modules, the group has been observed weaponizing specific SharePoint flaws to drop further web shells and gain deeper control over targeted systems. The listener modules provide the attackers with the ability to run arbitrary commands, conduct internal reconnaissance, and stage additional payloads as needed. By combining the exploitation of known vulnerabilities with custom-built stealth tools, Ink Dragon has created a global, multi-layered infrastructure that supports ongoing espionage campaigns while strategically reusing assets from previously breached organizations.

Source: China Linked Ink Dragon Targets Governments Using ShadowPad And FinalDraft Malware