Ink Dragon’s Global Mesh: How Chinese Spies Turn Compromised Government Servers into C2 Relay Nodes
Ddos 
A sophisticated Chinese cyber-espionage group is rewriting the rules of persistence, turning compromised government servers into a living, breathing command network. A new report from Check Point Research details the evolving tactics of Ink Dragon (also known as Earth Alux or APT41 affiliates), revealing how the group has expanded its operations into Europe while perfecting a “relay-centric” architecture that makes tracking them nearly impossible.
The group, which has previously concentrated on Southeast Asia and South America, has been spotted launching a new wave of attacks against government, telecom, and public-sector infrastructure. But it is their post-compromise behavior that has researchers alarmed: Ink Dragon doesn’t just hack a server; they recruit it.
At the heart of Ink Dragon’s strategy is a custom-built tool designed to turn a victim’s own infrastructure against them. By deploying a malicious module into Microsoft’s Internet Information Services (IIS) web servers, the group transforms compromised machines into active communication nodes.
“Ink Dragon leverages a custom ShadowPad IIS Listener module to turn compromised servers into active nodes within a distributed mesh, allowing each victim to forward commands and traffic,” the report states.
This technique allows the attackers to route their command-and-control (C2) traffic through a chain of infected organizations. A command sent to a government server in Europe might actually be routed through a compromised telecom provider in Asia, blending malicious traffic with legitimate inter-organizational data flows.
“This design allows attackers to route traffic not only deeper inside a single organization’s network, but also across different victim networks entirely”.
Despite their sophisticated backend infrastructure, Ink Dragon often breaks in through the “front door” using well-known vulnerabilities that organizations have failed to patch. The group actively hunts for misconfigured ASP.NET servers, exploiting predictable cryptographic keys to execute code.
“Ink Dragon continues to exploit long-known IIS misconfigurations for initial access,” Check Point researchers noted. “Despite years of public reporting… Ink Dragon still relies on predictable or mismanaged ASP.NET machineKey values to perform ViewState deserialization attacks”.
Once inside, the group deploys an updated arsenal. This includes a new variant of the FinalDraft malware, which now uses the legitimate Microsoft Graph API to hide its communications, and ShadowPad, a modular backdoor that serves as the backbone of their relay network.
The report highlights a disturbing shift in the group’s victimology. “In the last few months, the threat actor’s activities show increased focus on government targets in Europe in addition to continued activities in Southeast Asia and South America”.
This expansion suggests the group is scaling its intelligence-gathering mission, leveraging its growing mesh of compromised servers to strike targets further afield without exposing their true location.
The implications for defenders are stark. A compromised server is no longer just a data leak risk; it is a potential outpost for attacks on other nations.
“Defenders must therefore view intrusions not only as local breaches but as potential links in an external, attacker-managed ecosystem,” the report warns.
Check Point Research concludes that Ink Dragon’s methodology represents a mature, long-term approach to espionage, creating “a blueprint for long-term, multi-organizational access built on the victims themselves”.
Donate