top of page
perceptive_background_267k.jpg

China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware

Published:

17 December 2025 at 11:12:00

Alert date:

17 December 2025 at 12:00:58

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Web Technologies, Enterprise Applications

Chinese threat actor Ink Dragon (also known as Jewelbug, CL-STA-0049, Earth Alux, and REF7707) has been increasingly targeting government entities in Europe since July 2025. The campaign continues to impact organizations in Southeast Asia and South America. The threat actor deploys ShadowPad and FINALDRAFT malware in their operations. Check Point Research is tracking this cluster under the Ink Dragon designation. This represents an active and ongoing campaign against government targets across multiple regions.

Technical details

Ink Dragon uses a multi-stage attack chain exploiting vulnerable internet-exposed web applications to drop web shells, then deploys ShadowPad and FINALDRAFT malware. They exploit predictable ASP.NET machine key values for ViewState deserialization attacks against IIS and SharePoint servers, installing custom ShadowPad IIS Listener modules to create proxy networks. The group weaponizes ToolShell SharePoint flaws, uses RDP tunnels for lateral movement, dumps LSASS for privilege escalation, and modifies firewall rules. FINALDRAFT implements a modular command framework using encoded documents in victim mailboxes, while the group creates a relay network where compromised hosts become infrastructure nodes.

Mitigation steps:

Organizations should secure ASP.NET machine key values, patch SharePoint and IIS servers against ToolShell vulnerabilities, monitor for unauthorized web shells and IIS modules, implement proper session management for RDP connections, monitor LSASS access and memory dumps, review firewall rule changes, monitor for suspicious Outlook/Graph API usage, implement network segmentation to prevent lateral movement, and monitor for ShadowPad and FINALDRAFT indicators across the environment.

Affected products:

Windows systems
Linux systems
IIS servers
SharePoint servers
ASP.NET applications
Microsoft Outlook
Microsoft Graph API
Google Drive API

Related links:

https://thehackernews.com/2025/10/chinese-threat-group-jewelbug-quietly.html
https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
https://thehackernews.com/2025/04/china-linked-earth-alux-uses-vargeit.html
https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/
https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html
https://thehackernews.com/2025/02/microsoft-identifies-3000-publicly.html
https://thehackernews.com/2025/10/chinese-threat-actors-exploit-toolshell.html
https://thehackernews.com/2025/04/sentinelone-uncovers-chinese-espionage.html
https://thehackernews.com/2025/11/from-log4j-to-iis-chinas-hackers-turn.html#chinese-hacking-groups-target-misconfigured-iis-servers

Related CVE's:

Related threat actors:

IOC's:

FINALDRAFT malware (aka Squidoor), ShadowPad malware, VARGEIT backdoor, NANOREMOTE backdoor, Cobalt Strike beacons, ShadowPad Loader, CDBLoader, LalsDumper, 032Loader, Custom ShadowPad IIS Listener modules, Web shells on compromised servers

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page