Subj : Ink Dragon threatens EU g
To   : All
From : Mike Powell
Date : Thu Dec 18 2025 11:15 am

Experts warn Chinese "Ink Dragon" hackers extend reach into European
governments

Date:
Wed, 17 Dec 2025 15:20:00 +0000

Description:
Several dozen entities were recently targeted with an updated backdoor.

FULL STORY

Ink Dragon, a known Chinese state-sponsored threat actor, has extended its
reach into European governments, using misconfigured devices for initial
entry, and establishing persistence by blending with regular traffic, experts
have warned.

A report from cybersecurity researchers Check Point Software claims the
attackers are using Microsoft IIS and SharePoint servers as relay nodes for
future operations.

"This stage is typically characterized by low noise and spreads through
infrastructure that shares the same credentials or management patterns,"
Check Point's researchers said.

For initial access, the group does not abuse zero-day, or other
vulnerabilities, as that would most likely trigger security solutions and
alarms. Instead, they probe the servers for weaknesses and misconfigurations,
successfully flying under the radar.

After finding an account with domain-level access, the group expands to other
systems, installs backdoors and other malware, establishes long-term access
and exfiltrates sensitive data.

In their toolbox, Ink Dragon has a backdoor called FinalDraft, which was
recently updated to blend with common Microsoft cloud activity. It was said.
Its C2 traffic is usually left in the drafts folder of an email account.
Whats also interesting is that the malware only works during regular business
hours, when the traffic is greater and when its more difficult to spot any
suspicious activity.

Finally, once the attackers secure persistent access to compromised servers,
they repurpose the victims infrastructure by installing custom IIS-based
modules on internet-facing systems, turning them into relay points for their
malicious operations.

Check Point could not name the victims, for obvious reasons, but it did
reveal several dozens entities were hit, including government organizations
and telecommunications companies in Europe, Asia, and Africa.

"While we cannot disclose the identities or specific countries of affected
entities, we observed the actor beginning relay-based operations in the
second half of 2025, followed by a gradual expansion in victim coverage from
each relay over time," the researchers said.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/experts-warn-chinese-ink-dragon-hackers
-extend-reach-into-european-governments

$$
--- SBBSecho 3.28-Linux
* Origin: Capitol City Online (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.