Experts warn Chinese "Ink Dragon" hackers extend reach into European governments

News
By published

Several dozen entities recently targeted

Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer
(Image credit: Shutterstock)
  • Ink Dragon campaign breaches European governments by exploiting misconfigured IIS and SharePoint servers
  • The group uses its FinalDraft backdoor to blend C2 traffic with normal Microsoft cloud activity
  • Dozens of government and telecom entities worldwide were turned into relay nodes for further operations

Ink Dragon, a known Chinese state-sponsored threat actor, has extended its reach into European governments, using misconfigured devices for initial entry, and establishing persistence by blending with regular traffic, experts have warned.

A report from cybersecurity researchers Check Point Software claims the attackers are using Microsoft IIS and SharePoint servers as relay nodes for future operations.

"This stage is typically characterized by low noise and spreads through infrastructure that shares the same credentials or management patterns," Check Point's researchers said.

FinalDraft updates

For initial access, the group does not abuse zero-day, or other vulnerabilities, as that would most likely trigger security solutions and alarms. Instead, they probe the servers for weaknesses and misconfigurations, successfully flying under the radar.

After finding an account with domain-level access, the group expands to other systems, installs backdoors and other malware, establishes long-term access and exfiltrates sensitive data.

In their toolbox, Ink Dragon has a backdoor called FinalDraft, which was recently updated to blend with common Microsoft cloud activity. It was said. Its C2 traffic is usually left in the “drafts” folder of an email account. What’s also interesting is that the malware only works during regular business hours, when the traffic is greater and when it’s more difficult to spot any suspicious activity.

Finally, once the attackers secure persistent access to compromised servers, they repurpose the victims’ infrastructure by installing custom IIS-based modules on internet-facing systems, turning them into relay points for their malicious operations.

Check Point could not name the victims, for obvious reasons, but it did reveal “several dozens” entities were hit, including government organizations and telecommunications companies in Europe, Asia, and Africa.

"While we cannot disclose the identities or specific countries of affected entities, we observed the actor beginning relay-based operations in the second half of 2025, followed by a gradual expansion in victim coverage from each relay over time," the researchers said.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.