FINALDRAFT Backdoor

The threat actor commonly referred to as Jewelbug has intensified its focus on European government organizations since July 2025, while still maintaining active operations against targets in Southeast Asia and South America. Researchers track this activity cluster as Ink Dragon, a group also known in the wider security community as CL-STA-0049, Earth Alux, and REF7707. The actor is assessed to be China-aligned and has demonstrated sustained activity since at least March 2023.

Multiple Identities, One Coordinated Cluster

Ink Dragon's campaigns reflect a mature and disciplined intrusion capability. Its operators combine strong software engineering skills with repeatable operational playbooks, frequently relying on built-in platform utilities to blend malicious activity into legitimate enterprise telemetry. This deliberate tradecraft significantly increases stealth and complicates detection.

Scope, Targets, and Ongoing Impact

The campaign remains active and has already affected several dozen victims. Impacted organizations span government agencies and telecommunications providers across Europe, Asia, and Africa. The breadth of victims underscores both the scalability of the actor's infrastructure and its strategic interest in high-value networks.

Early Visibility and Key Malware Families

Public insight into Ink Dragon emerged in February 2025, when researchers documented its use of the FINALDRAFT backdoor, also known as Squidoor. This malware supports both Windows and Linux environments. More recently, the group was linked to a prolonged, five-month intrusion against a Russian IT services provider, highlighting its ability to maintain long-term, covert access.

Initial Access and Payload Delivery

Ink Dragon typically gains entry by exploiting vulnerable, internet-facing web applications. These weaknesses are abused to deploy web shells, which then serve as launch points for additional tooling such as VARGEIT and Cobalt Strike. These payloads support command-and-control communications, internal reconnaissance, lateral movement, evasion of defenses, and data theft.

Abuse of Cloud and Legitimate Services

Among the group's secondary backdoors is NANOREMOTE, which leverages the Google Drive API to exchange files between infected hosts and attacker-controlled infrastructure. Tool selection appears deliberate and situational, suggesting that operators tailor deployments to the victim environment and favor techniques that resemble normal, trusted traffic patterns.

ViewState Exploitation and C2 Infrastructure Hijacking

A defining technique in Ink Dragon's playbook involves exploiting weak or mismanaged ASP.NET machine keys. By abusing ViewState deserialization flaws in IIS and SharePoint servers, the actor installs a custom ShadowPad IIS Listener module. This transforms compromised servers into active components of the attacker's command-and-control network, enabling them to proxy traffic and commands and significantly increasing resilience.

From Local Breach to Global Relay Network

This architecture allows traffic to be routed not only deeper into a single organization but also across entirely separate victim networks. As a result, one compromised server can silently become an intermediary in a broader, multi-layered infrastructure. The listener module itself supports remote command execution, giving operators direct control for reconnaissance and payload staging.

Post-Exploitation and Privilege Escalation Tactics

Beyond ViewState abuse, Ink Dragon has weaponized ToolShell SharePoint vulnerabilities to deploy web shells. Following initial compromise, the actor typically performs several actions to entrench access and escalate privileges:

• Leveraging IIS machine keys to obtain local administrative credentials and move laterally via RDP tunnels
• Establishing persistence through scheduled tasks and malicious services
• Dumping LSASS memory and extracting registry hives to elevate privileges
• Altering host firewall rules to permit outbound traffic and convert systems into ShadowPad relay nodes

Advanced Credential Reuse and Domain Compromise

In at least one observed case, the attackers identified a disconnected but active RDP session belonging to a Domain Administrator authenticated through Network Level Authentication with NTLMv2 fallback. Because the session remained logged off but not terminated, sensitive credential material persisted in LSASS memory. After gaining SYSTEM-level access, Ink Dragon extracted the token and reused it to conduct authenticated SMB operations, write to administrative shares, and exfiltrate NTDS.dit and registry hives.

A Modular Persistence Ecosystem

Rather than relying on a single backdoor, Ink Dragon employs a collection of specialized components to maintain long-term access. Observed tooling includes:

• ShadowPad Loader for decrypting and executing the ShadowPad core module in memory
• CDBLoader, which abuses Microsoft's console debugger to execute shellcode and load encrypted payloads
• LalsDumper for extracting LSASS memory
• 032Loader for decrypting and running additional payloads
• FINALDRAFT, a modernized remote administration tool that abuses Outlook and Microsoft Graph for command-and-control

Evolution of FINALDRAFT

The group has recently deployed a new FINALDRAFT variant designed for greater stealth and faster data exfiltration. It introduces advanced evasion methods, supports multi-stage payload delivery, and enables covert lateral movement. Commands are delivered as encoded documents placed in the victim's mailbox, which the implant retrieves, decrypts, and executes through a modular command framework.

Overlap With Other Threat Actors

Investigators have also identified traces of another China-aligned group, REF3927, also known as RudePanda, in several environments compromised by Ink Dragon. There is no evidence of coordination between the two, and the overlap is believed to stem from both actors exploiting similar initial access vectors rather than sharing infrastructure or operations.

A New Threat Model for Defenders

Ink Dragon blurs the traditional line between infected hosts and command infrastructure. Each compromised system becomes a functional node in an attacker-controlled mesh that expands with every new victim. For defenders, this means that containment cannot focus solely on individual systems. Effective disruption requires identifying and dismantling the entire relay chain. Ink Dragon's relay-centric use of ShadowPad represents one of the most mature implementations observed so far, effectively turning victim networks themselves into the backbone of long-term, multi-organizational espionage campaigns.