The threat group known as Jewelbug, also tracked by Check Point Research as Ink Dragon, has intensified its attacks against government targets in Europe since July 2025. Although the actor, aligned with China and active since at least March 2023, continues to attack entities in Southeast Asia and South America, its focus has expanded significantly.
Check Point Research has detailed the operations of this hacking group, highlighting its combination of solid software engineering, disciplined operational playbooks, and the reuse of native platform tools to blend into normal company telemetry. These tactics make their intrusions “effective and stealthy.”
According to Eli Smadja of Check Point Software, the campaign is still active and has affected several dozen victims, including government entities and telecommunications organizations in Europe, Asia and Africa.
Intrusion Tactics and Malware Arsenal
Ink Dragon attack chains have evolved to exploit vulnerable services in Internet-exposed web applications. Through the exploitation of vulnerabilities, the group manages to install web shells, which are used to deploy additional payloads such as VARGEIT and Cobalt Strike beacons. These tools facilitate command and control (C2), lateral movement, evasion of defenses and data exfiltration.
Among the threat actor’s malware arsenal are:
- FINALDRAFT (Squidoor): A backdoor capable of infecting Windows and Linux systems. A recent variant uses the Microsoft Graph and Outlook API for C2, with a modular command framework that allows operators to send encoded commands to the victim’s inbox for execution.
- NANOREMOTE: Another backdoor that uses the Google Drive API for file transfer between the C2 server and the compromised endpoint. Check Point noted that they did not find it in their specific investigations, suggesting a selective deployment of tools based on the victim’s environment.
Creation of C2 Infrastructure from Victims
One of Ink Dragon’s most notable techniques is the use of a custom ShadowPad IIS Listener module. The actor exploits predictable or mishandled ASP.NET machine key values to conduct ViewState deserialization attacks against vulnerable IIS and SharePoint servers.
Once compromised, these servers become part of the attacker’s C2 infrastructure. The listening module allows traffic to be routed not only within an organization’s network, but also across different victim networks. This creates a global relay network, where a silent engagement becomes a node in a supporting infrastructure for campaigns elsewhere.
Privilege Escalation and Persistence
The threat group also uses various techniques to escalate privileges and maintain persistence:
- Lateral Movement: Using the IIS machine key to obtain local administrative credentials and leverage them for lateral movement over an RDP tunnel.
- Persistence: Creation of scheduled tasks and installation of services.
- Privilege Escalation: Extracting LSASS dumps and log hives to escalate privileges. In one case, the actor extracted a domain administrator’s token from an idle RDP session to perform authenticated SMB operations and exfiltrate NTDS.dit and log hives, achieving control of the entire domain.
- Defense Evasion: Modifying host firewall rules to allow outbound traffic and transform infected hosts into a ShadowPad relay network.
Conclusions
Ink Dragon intrusions rely on a series of components, rather than a single backdoor, to establish long-term persistence. The victim engagement-focused relay architecture is a “blueprint for long-term, multi-organizational access built on victims themselves.”
Check Point Research concludes that Ink Dragon’s threat model eliminates the boundary between “compromised host” and “command infrastructure.” Defenders must view intrusions not just as local breaches, but as potential links in an external ecosystem managed by the attacker, where taking down a single node is insufficient if the entire relay chain is not identified.
References
- Check Point Research: Jewelbug (Ink Dragon) White Paper
- Elastic Security Labs and Palo Alto Networks Unit 42: Previous investigations into the FINALDRAFT actor and malware.