Overview of the Ink Dragon Threat Campaign
Ink Dragon has intensified its cyber operations against government organizations. Since mid-2025, the group has increasingly focused on targets across Europe. However, it continues to attack entities in Southeast Asia and South America. Therefore, the campaign reflects a broad and sustained global effort.
Security researchers track this activity under the name Ink Dragon. The group also appears under several other aliases in threat intelligence reports. Analysts believe the actor has operated since at least early 2023. As a result, Ink Dragon has built long-term experience in covert intrusions.
Sophisticated and Stealthy Attack Strategy
Researchers describe Ink Dragon as highly disciplined and technically skilled. The group carefully blends malicious activity into normal system behavior. Therefore, defenders struggle to distinguish attacks from legitimate operations. This approach makes the intrusions both effective and difficult to detect.
Investigators confirm that the campaign remains active. Several dozen victims have already been affected across multiple regions. These victims include government bodies and telecommunications organizations. Consequently, the threat poses serious national and infrastructure risks.
Use of FINALDRAFT and Related Backdoors
Details about Ink Dragon surfaced publicly earlier in 2025. At that time, researchers linked the group to a backdoor called FINALDRAFT. This malware can infect both Windows and Linux systems. Therefore, it gives attackers broad operational flexibility.
FINALDRAFT evolved from an earlier variant known internally as VARGEIT. Researchers observed both versions at different development stages. However, FINALDRAFT offers more advanced features and stronger stealth. As a result, attackers now rely on it for recent operations.
Initial Access and Malware Delivery
Ink Dragon typically exploits vulnerable internet-facing applications. These weaknesses allow attackers to install web shells on exposed servers. From there, they deploy additional tools for control and expansion. Therefore, a single flaw can lead to full network compromise.
The attackers use these tools for reconnaissance and lateral movement. They also evade defenses and extract sensitive data. Consequently, victims often remain unaware until deep damage occurs. This method enables long-term persistence inside networks.
ShadowPad Infrastructure and Network Abuse
Ink Dragon also abuses misconfigured ASP.NET machine keys. This weakness allows ViewState deserialization attacks against IIS and SharePoint servers. Attackers then install a custom ShadowPad listener module. As a result, compromised servers become part of a larger control network.
This design allows attackers to route traffic across multiple victims. Therefore, one breached organization may unknowingly support attacks elsewhere. Each compromised server strengthens the overall infrastructure. Consequently, the campaign grows more resilient over time.
Advanced Privilege Escalation Techniques
In some cases, attackers exploited idle administrator sessions. These sessions left authentication tokens in system memory. Therefore, Ink Dragon extracted credentials and gained full system control. This access enabled domain-wide privilege escalation.
Once inside, the group dumped sensitive system data. They also modified firewall rules to allow outbound traffic. As a result, infected hosts became relay points for further attacks. This technique deepened the compromise significantly.
Modular Malware Toolkit
Ink Dragon relies on multiple specialized components. These tools handle loading, decryption, credential dumping, and execution. FINALDRAFT plays a central role in command delivery. It uses email and cloud APIs to hide communications.
Operators send encoded commands to victim mailboxes. The malware then retrieves and executes them silently. Therefore, attackers maintain control while avoiding traditional detection. This modular approach supports long-term operations.
A Broader and Growing Threat Landscape
Researchers also observed other threat actors in some victim environments. However, evidence suggests no direct coordination occurred. Instead, multiple groups exploited similar entry points. Therefore, weak perimeter defenses remain a shared risk.
Ink Dragon blurs the line between victim and infrastructure. Each breach becomes part of a larger attacker-controlled ecosystem. Consequently, defenders must treat intrusions as interconnected threats. Isolated cleanup efforts may not be enough.
How to Prevent Similar Government Attacks
Organizations should regularly audit exposed servers and application configurations. However, prevention also requires continuous threat monitoring. Advanced detection systems can identify lateral movement and unusual authentication behavior early. Therefore, response teams gain valuable time to act.
Security teams can also deploy browser and endpoint monitoring solutions. These tools analyze malware behavior and hidden command channels. By combining proactive assessments with real-time detection, organizations can reduce long-term infiltration risks significantly.
Sleep well, we got you covered.
