Security researchers tracking a China-aligned cluster known as Ink Dragon – also linked to the Jewelbug set of activity – say the actor has increasingly focused on government targets in Europe since July 2025 while continuing operations against organisations in Southeast Asia and South America. The cluster has been active since at least March 2023 and is referenced under multiple names in the security community.
In a technical breakdown published Tuesday, Check Point Research said the group combines disciplined operational playbooks with reuse of platform-native tools to blend into normal enterprise telemetry, making intrusions effective and stealthy. Eli Smadja, group manager of Products R&D at Check Point Software, told reporters the activity is ongoing and has impacted several dozen victims, including government entities and telecommunications organisations across Europe, Asia and Africa.
Researchers have linked the cluster to use of the FINALDRAFT (aka Squidoor) backdoor capable of infecting Windows and Linux systems, and to intrusion chains that drop web shells on vulnerable internet-facing applications. Those web shells have been used to stage additional payloads such as VARGEIT and Cobalt Strike beacons to facilitate command-and-control, discovery, lateral movement, defence evasion and data exfiltration.
Check Point reported that operators have abused predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against IIS and SharePoint servers and then installed a custom ShadowPad IIS Listener module to turn compromised servers into relay nodes for their C2 infrastructure. The firm said this relay-centric design lets attackers route traffic across different victim networks and reuse breached assets to improve resilience.
Investigators described a modular toolkit rather than a single monolithic implant, naming components observed in intrusions including a ShadowPad Loader, CDBLoader that leverages the Microsoft Console Debugger, LalsDumper for extracting LSASS memory, a 032Loader and multiple FINALDRAFT variants. Check Point noted a new FINALDRAFT variant with enhanced stealth and higher exfiltration throughput that implements a modular command framework in which operators push encoded command documents to a victim mailbox for the implant to pull and execute.
The company also detected evidence of a separate actor known as REF3927 on several of the same victim environments but found no indication the clusters were operationally linked. Researchers warned defenders to treat each compromised host as a potential node in an attacker-managed relay network and to seek full dismantling of the relay chain rather than simply removing single footholds.