China-linked Ink Dragon Hacks Governments Using Shadowpad And...

The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.

Check Point Research is tracking the cluster under the name Ink Dragon. It's also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023.

"The actor's campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry," the cybersecurity company said in a technical breakdown published Tuesday. "This mix makes their intrusions both effective and stealthy."

Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has "impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa."

Details of the threat group first emerged in February 2025 when Elastic Security Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor called FINALDRAFT (aka Squidoor) that's capable of infecting both Windows and Linux systems. In recent months, Ink Dragon has also been attributed a five-month-long intrusion targeting a Russian IT service provider.

Attack chains mounted by the adversary have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration.

Another notable backdoor in the threat actor's malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Check Point said it did not encounter the malware in the intrusions and investigations it observed.

"It is possible that the actor selectively deploys tools from a broader toolkit, depending on the victim's environment, operational needs, and the desire to blend in with legitimate traffic," Smadja said.

Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad II

Source: The Hacker News