The risk actor referred to as Jewelbug has been more and more specializing in authorities targets in Europe since July 2025, even because it continues to assault entities positioned in Southeast Asia and South America.
Examine Level Analysis is monitoring the cluster beneath the title Ink Dragon. It is also referenced by the broader cybersecurity group beneath the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be lively since not less than March 2023.
“The actor’s campaigns mix stable software program engineering, disciplined operational playbooks, and a willingness to reuse platform-native instruments to mix into regular enterprise telemetry,” the cybersecurity firm stated in a technical breakdown revealed Tuesday. “This combine makes their intrusions each efficient and stealthy.”
Eli Smadja, group supervisor of Merchandise R&D at Examine Level Software program, advised The Hacker Information that the exercise remains to be ongoing, and that the marketing campaign has “impacted a number of dozen victims, together with authorities entities and telecommunications organizations, throughout Europe, Asia, and Africa.”
Particulars of the risk group first emerged in February 2025 when Elastic Safety Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor referred to as FINALDRAFT (aka Squidoor) that is able to infecting each Home windows and Linux programs. In current months, Ink Dragon has additionally been attributed a five-month-long intrusion concentrating on a Russian IT service supplier.
Assault chains mounted by the adversary have leveraged weak providers in internet-exposed net purposes to drop net shells, that are then used to ship extra payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral motion, protection evasion, and knowledge exfiltration.
One other notable backdoor within the risk actor’s malware arsenal is NANOREMOTE, which makes use of the Google Drive API for importing and downloading recordsdata between the C2 server and the compromised endpoint. Examine Level stated it didn’t encounter the malware within the intrusions and investigations it noticed.
“It’s potential that the actor selectively deploys instruments from a broader toolkit, relying on the sufferer’s atmosphere, operational wants, and the need to mix in with legit visitors,” Smadja stated.
Ink Dragon has additionally relied on predictable or mismanaged ASP.NET machine key values to hold out ViewState deserialization assaults towards weak IIS and SharePoint servers, after which set up a customized ShadowPad IIS Listener module to show these compromised servers into a part of its C2 infrastructure and allow them to proxy instructions and visitors, enhancing resilience within the course of.
“This design permits attackers to route visitors not solely deeper inside a single group’s community, but in addition throughout totally different sufferer networks fully,” Examine Level stated. “In consequence, one compromise can quietly change into one other hop in a world, multi-layered infrastructure supporting ongoing campaigns elsewhere, mixing operational management with strategic reuse of beforehand breached belongings.”
The listener module can also be outfitted to run totally different instructions on the IIS machine, offering attackers with higher management over the system to conduct reconnaissance and stage payloads.
Along with exploiting publicly disclosed machine keys to realize ASP.NET ViewState deserialization, the risk actor has been discovered to weaponize ToolShell SharePoint flaws to drop net shells on compromised servers. Different steps carried out by Ink Dragon are listed beneath –
Use the IIS machine key to acquire a neighborhood administrative credential and leverage it for lateral motion over an RDP tunnel
Create scheduled duties and set up providers to ascertain persistence
Dump LSASS dumps and extract registry hives to realize privilege escalation
Modify host firewall guidelines to permit outbound visitors and remodel the contaminated hosts right into a ShadowPad relay community
“In not less than one occasion, the actor positioned an idle RDP session belonging to a Area Administrator that had authenticated through Community Stage Authentication (CredSSP) utilizing NTLMv2 fallback. Because the session remained disconnected however not logged off, it’s extremely doubtless that LSASS retained the related logon token and NTLM verifier in reminiscence,” Examine Level stated.
“Ink Dragon obtained SYSTEM-level entry to the host, extracted the token (and presumably the NTLM key materials), and reused it to carry out authenticated SMB operations. By these actions, they had been capable of write to administrative shares and exfiltrate NTDS.dit and registry hives, marking the purpose at which they achieved domain-wide privilege escalation and management.”
The intrusions have been discovered to depend on numerous parts reasonably than a single backdoor or a monolithic framework to ascertain long-term persistence. These embody –
ShadowPad Loader, which is used to decrypts and runs the ShadowPad core module in reminiscence
CDBLoader, which makes use of Microsoft Console Debugger (“cdb.exe”) to run shellcode and cargo encrypted payloads
LalsDumper, which extracts an LSASS dump
032Loader, which is used to decrypt and execute payloads
FINALDRAFT, an up to date model of the identified distant administration device that abuses Outlook and the Microsoft Graph API for C2
“The cluster has launched a brand new variant of FINALDRAFT malware with enhanced stealth and better exfiltration throughput, together with superior evasion methods that allow stealthy lateral motion and multi-stage malware deployment throughout compromised networks,” Examine Level stated.
“FINALDRAFT implements a modular command framework by which operators push encoded command paperwork to the sufferer’s mailbox, and the implant pulls, decrypts, and executes them.”
The cybersecurity firm additionally identified that it detected proof of a second risk actor referred to as REF3927 (aka RudePanda) on “a number of” of the identical sufferer environments breached by Ink Dragon. That stated, there aren’t any indications that the 2 clusters are operationally linked. It is believed that each intrusion units exploited the identical preliminary entry strategies to acquire footholds.
“Ink Dragon presents a risk mannequin by which the boundary between ‘compromised host’ and ‘command infrastructure’ not exists,” Examine Level concluded. “Every foothold turns into a node in a bigger, operator-controlled community – a dwelling mesh that grows stronger with each extra sufferer.”
“Defenders should subsequently view intrusions not solely as native breaches however as potential hyperlinks in an exterior, attacker-managed ecosystem, the place shutting down a single node is inadequate until the complete relay chain is recognized and dismantled. Ink Dragon’s relay-centric structure is among the many extra mature makes use of of ShadowPad noticed so far. A blueprint for long-term, multi-organizational entry constructed on the victims themselves.”
