- The Ink Dragon campaign hacks European governments by exploiting misconfigured IIS and SharePoint servers
- The group uses the FinalDraft backdoor to combine C2 traffic with normal Microsoft cloud activity.
- Dozens of government and telecommunications facilities around the world have become hubs for other activities.
Experts warn that Ink Dragon, a notorious Chinese state-sponsored threat actor, has extended its reach to European governments by using misconfigured devices for initial access and disrupting regular data traffic.
NASTY relationship According to cybersecurity researchers Check Point Software, attackers are using Microsoft IIS and SharePoint servers as relay nodes for future operations.
“This phase is typically characterized by low noise and extends to infrastructures that share the same credentials or management models,” Check Point researchers said.
Latest draft updates
For initial access, the group does not use zero-day or other vulnerabilities as this would likely trigger security warnings and patches. Instead, they scan servers for vulnerabilities and misconfigurations, allowing them to fly under the radar.
Once an account with domain-level access is found, the group expands to other systems, installs backdoors and other malware, establishes long-term access, and exfiltrates sensitive data.
In the toolbox, Ink Dragon has a backdoor called FinalDraft, which was recently updated to fit into Microsoft’s core cloud business. This has been said. C2 traffic usually remains in an email account’s drafts folder. Another interesting aspect is that malware only works during normal business hours, when traffic is at its peak and suspicious activity is harder to detect.
Once attackers gain permanent access to compromised servers, they reuse victim infrastructure by installing custom IIS-based modules on Internet-connected systems, making them relay points for their malicious activities.
For obvious reasons, Check Point could not name the victims, but revealed that “several dozen” entities were affected, including government organizations and telecommunications companies in Europe, Asia and Africa.
“While we cannot disclose the specific identities or countries of the affected entities, we note that the actor began operating in the relays in the second half of 2025, followed by a gradual expansion of victim coverage per relay over time,” the researchers said.
