Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

    Thursday, December 25, 2025 In: Threat Research Print

    Date: 12/25/2025

    Severity: High

    Summary

    Operation highlights how the Chinese-linked threat actor Ink Dragon is expanding and refining its cyber-espionage campaigns. The group has shifted increased attention toward European government targets while maintaining activity in Southeast Asia and South America. Ink Dragon uniquely turns compromised servers into a victim-based relay network using a custom ShadowPad IIS Listener, effectively making targets part of its command-and-control infrastructure. Despite widespread awareness, the actor continues to exploit long-known IIS and SharePoint misconfigurations for initial access. At the same time, Ink Dragon is evolving its capabilities with a new, stealthier FinalDraft malware variant and advanced techniques for evasion, lateral movement, and large-scale data exfiltration.

    Indicators of Compromise (IOC) List

    Hash

    2e84ea5cef8a9a8a60c7553b5878a349a037cffeab4c7f40da5d0873ede7ff72

    e2f6e722c26e19b76396c2502cacf2aaceaaa1486865578c665ebf0065641ffa

    f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1

    a86e72ca58de6d215a59ae233963eaea27fe47ef0c9f43938e27339df4a86732

    7efe5c1229178c1b48f6750c846575e7f48d17ea817997bd7acba0e5ecf1e577

    D88115113E274071B03A3B4C1DA99EAEA7B8D94ADF833DFD26943AF0A6D78B4D

    f094ff83d4b7d06bc17b15db7d7dc0e622778b0eda71e8fc9fdf7db83c460426

    36f00887f6c0af63ef3c70a60a540c64040b13a4209b975e96ce239e65548d4a

    ecf0fbd72aac684b03930ad2ff9cdd386e9c13ddf449f27918f337dc8963590e

    2b57deb1f6f7d5448464b88bd96b47c5e2bd6e1c64c1b9214b57c4d35a591279

    b4a53f117722fb4af0a64d30ec8aa4c4c82f456e3d2a5c5111c63ce261f3b547

    866fde351251092fb5532e743459ba80968cd5516cce813c8755467f5e8a47a1

    188ab2d68f17ecf08a7a4cfc6457c79b0a5117b3277352a7371a525416129114

    809ddcbb64d6f2ccc4a8909068da60e6ea8b3ebd9c09dd826def0e188c7a2da2

    f438ca355e6888c4c9cd7287b22cfe5773992ef83f0b16e72fb9ae239d85586c

    c305b3b3f9426d024cdd262497a5d196264397bfed445705759d0a793a58fe6e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("2e84ea5cef8a9a8a60c7553b5878a349a037cffeab4c7f40da5d0873ede7ff72","e2f6e722c26e19b76396c2502cacf2aaceaaa1486865578c665ebf0065641ffa","f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1","a86e72ca58de6d215a59ae233963eaea27fe47ef0c9f43938e27339df4a86732","7efe5c1229178c1b48f6750c846575e7f48d17ea817997bd7acba0e5ecf1e577","D88115113E274071B03A3B4C1DA99EAEA7B8D94ADF833DFD26943AF0A6D78B4D","f094ff83d4b7d06bc17b15db7d7dc0e622778b0eda71e8fc9fdf7db83c460426","36f00887f6c0af63ef3c70a60a540c64040b13a4209b975e96ce239e65548d4a","ecf0fbd72aac684b03930ad2ff9cdd386e9c13ddf449f27918f337dc8963590e","2b57deb1f6f7d5448464b88bd96b47c5e2bd6e1c64c1b9214b57c4d35a591279","b4a53f117722fb4af0a64d30ec8aa4c4c82f456e3d2a5c5111c63ce261f3b547","866fde351251092fb5532e743459ba80968cd5516cce813c8755467f5e8a47a1","188ab2d68f17ecf08a7a4cfc6457c79b0a5117b3277352a7371a525416129114","809ddcbb64d6f2ccc4a8909068da60e6ea8b3ebd9c09dd826def0e188c7a2da2","f438ca355e6888c4c9cd7287b22cfe5773992ef83f0b16e72fb9ae239d85586c","c305b3b3f9426d024cdd262497a5d196264397bfed445705759d0a793a58fe6e")


    Reference:

    https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/ 


    Tags

    Threat ActorInk DragonChinaCyber EspionageEuropeGovernment Services and FacilitiesSoutheast AsiaSouth AmericaFinalDraftExploitMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.