Chinese spy group Ink Dragon is turning victims into infrastructure

Published: 17 December 2025
Looming building with EU flag in foreground
Image by Shutterstock

Espionage group Ink Dragon is increasingly weaponizing European government infrastructure, a new report finds, and it’s getting better at covering up its tracks.

The long-held assumption that hostile state actors quietly breach networks and then lie dormant inside them is beginning to change, according to new research.

Instead of simply hiding, attackers are now actively repurposing what they compromise.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

New findings from security firm Check Point reveal that the China-linked espionage group Ink Dragon is no longer just infiltrating government networks and observing – it is also targeting critical infrastructure.

Researchers say the group is converting compromised servers into infrastructure used to support espionage operations in other countries and regions.

Turning victims into infrastructure

Ink Dragon is a long-running espionage group whose operations have expanded from Southeast Asia and South America into a growing number of European government networks.

Check Point has tracked this research through a series of quiet campaigns that initially appeared unremarkable, but later revealed a consistent pattern of disciplined, stealthy escalation.

Reporting its findings in a blog, the researchers stated that a defining feature of Ink Dragon’s operations is its use of compromised organizations to support attacks elsewhere.

The group deploys a customized IIS-based module (a web hosting software package for Windows) that turns public-facing servers into covert relay points.

These systems forward commands and data between victim networks, forming a distributed communication mesh that conceals the true origin of malicious traffic.

ADVERTISEMENT

This approach was observed during a recent investigation inside a European government office. Researchers found that attackers carefully mapped administrative behavior, leveraged dormant sessions, and prepared the network for long-term use.

An evolving toolset, including a new variant of the FinalDraft backdoor (a malware that hides in your drafts), played a central role.

The malware is designed for persistent access and has been optimized to blend into legitimate Microsoft Cloud activity, making espionage traffic resemble routine enterprise operations.

Attacks typically begin with probes against public-facing websites, often exploiting simple configuration issues in Microsoft IIS or SharePoint servers. Once inside, Ink Dragon moves quietly by reusing existing passwords and service accounts to blend in with normal administrative behaviour.

When attackers gain domain-level rights, they can map the environment in detail, control policy settings, and deploy long-term access tools across high-value systems.

“Across incidents, the same story repeats. A small web-facing issue becomes the first step. A series of quiet pivots leads to domain-level control. The environment is then repurposed as part of a larger network that powers operations against additional targets."

Check Point Research

Fellow lurkers are exploiting the same vulnerability

In several networks, researchers also observed a second China-linked group, Rude Panda, exploiting the same vulnerability.

While these two groups are unrelated and there is no sign of cooperation, the overlap shows how a single exposed flaw can attract multiple advanced actors simultaneously.

ADVERTISEMENT

“Ink Dragon isn’t just infiltrating networks. It’s quietly rewiring them into an international command system. Each compromised server becomes part of a larger mesh that hides attacker traffic inside what looks like everyday web activity.” Eli Smadja, group manager, Check Point Research, said.

He warned that simply removing malware from individual systems is no longer sufficient and that defenders must dismantle entire relay chains to fully evict advanced state-backed attackers.

The news follows reports last month of a China-linked cyber-espionage campaign that hijacked more than 50,000 ASUS home routers, turning everyday internet devices into components of a covert network.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT