Classification: TLP:CLEAR
Analyst: AI Threat Intelligence
Date: 2025-12-19
EXECUTIVE SUMMARY
- Assessment: INK DRAGON is assessed as PRC‑aligned with MEDIUM confidence.
- Observed tooling: SHADOWPAD (modular backdoor with IIS listener relays) and FINALDRAFT (cloud‑mail / Microsoft Graph C2 using PATHLOADER helper).
- Risk: HIGH for government, diplomatic, and telecommunications sectors due to targeted espionage, covert cloud‑mail C2, and relay-capable web server modules.
- Immediate Actions: Ingest vendor STIX/IOC packs, isolate file‑hash IOCs, monitor Microsoft Graph/Outlook drafts, and block communications to verified malicious IPs/domains.
INVESTIGATION OBJECTIVE & METHODOLOGY
- Objective: Investigate reports that a China‑linked cluster ("Ink Dragon") leveraged SHADOWPAD and FINALDRAFT to target government entities; produce a validated timeline, TTP synthesis, and attribution assessment.
- Scope: Open‑source and commercial reporting through 2025‑12‑19.
- Sources: Check Point, Elastic, Trend Micro, Secureworks, ESET, CISA AA25‑239A, and commercial enrichment feeds.
- Methodology: Collection, IOC extraction (defanged), threat‑feed enrichment, MITRE ATT&CK mapping, attribution evaluation, and factual validation review. Numeric enrichment claims remain provisional until raw outputs are verified.
EVIDENCE‑BASED FINDINGS
High Confidence
- SHADOWPAD actively used in espionage campaigns by PRC‑aligned clusters.
Confidence: HIGH. - File‑hash IOCs mapped to SHADOWPAD/FINALDRAFT; multi‑engine detections confirm linkages.
Confidence: HIGH.
Medium Confidence
- FINALDRAFT abuses Microsoft Graph/Outlook drafts for covert C2/exfiltration.
Confidence: MEDIUM–HIGH. - Ink Dragon’s IIS Listener relay networks reuse compromised IIS/SharePoint servers. Vendor naming varies (Ink Dragon, Earth Alux, Jewelbug, REF7707).
Confidence: MEDIUM. - Infrastructure relies on short‑lived typosquat domains and delegated subdomain providers (e.g., epac[.]to).
Confidence: MEDIUM.
Low / Insufficient Confidence
- Numeric enrichment values (VT counts, STIX IDs, ASN metadata) pending review of raw enrichment JSON.
Confidence: LOW.
MITRE ATT&CK TTP TABLE
| MITRE ATT&CK ID |
Technique |
Representative Evidence (defanged) |
Primary Sources |
Confidence |
Detection / Hunting Guidance |
|
T1190
|
Exploit Public-Facing Application |
Exploitation of IIS/SharePoint to deploy relay modules. Hash: 2e84ea5c…ff72 |
Check Point, Secureworks |
MEDIUM |
Monitor w3wp.exe module loads, ISAPI handlers, and modified web.config files. |
|
T1574.001
|
DLL Side-Loading |
Signed binaries loading SHADOWPAD loaders (e2f6e722…1ffa). |
Trend Micro, Secureworks |
HIGH |
Alert on signed executables loading DLLs from non-standard or user-writable paths. |
|
T1071.001
|
Application Layer Protocol: Web (HTTP/S) |
FINALDRAFT and SHADOWPAD C2 over HTTPS (abuse of Microsoft Graph). |
Elastic, Check Point |
HIGH |
Detect Microsoft Graph API anomalies; monitor token usage; block typosquat domains. |
|
T1567.002
|
Exfiltration to Cloud Storage / Web Service |
FINALDRAFT exfiltration via Outlook drafts using stolen OAuth tokens. |
Elastic |
HIGH |
Hunt for repeated draft create/delete activity and abnormal mailbox API usage. |
|
T1041
|
Exfiltration Over C2 Channel |
Encrypted blob transfers over HTTP/S channels. |
Elastic, Check Point |
HIGH |
Detect repeated POSTs with high-entropy AES-encrypted payloads. |
|
T1059.001
|
PowerShell |
Encoded PowerShell execution observed in loader stages. |
Trend Micro |
MEDIUM |
Alert on obfuscated PowerShell usage (-enc, Base64 payloads, IEX patterns). |
|
T1547
|
Registry Run Keys / Startup Persistence |
FINALDRAFT stores UUID configuration under HKCU/HKLM\\…\\Explorer. |
Elastic |
MEDIUM |
Hunt for suspicious UUID-like registry values in Run/Explorer keys. |
|
T1016 /
T1087
|
Discovery (Network & Account Enumeration) |
SHADOWPAD modules enumerate network configuration and accounts. |
ESET, Secureworks |
MEDIUM |
Monitor SMB/LDAP enumeration anomalies and unusual account discovery patterns. |
|
T1210
|
Exploitation of Remote Services |
Pivoting via compromised web servers using RDP or HTTPAPI. |
Protos, CISA |
MEDIUM |
Review firewall and server logs for unexpected external RDP/HTTPAPI access. |
KILL CHAIN OVERVIEW
- Reconnaissance: Identify vulnerable IIS/SharePoint systems in diplomatic networks.
- Initial Access: Exploit public‑facing applications or supply‑chain compromise.
- Execution/Persistence: PATHLOADER retrieves encrypted payloads; SHADOWPAD maintains persistence via services, tasks, and registry entries.
- C2 & Exfiltration: FINALDRAFT uses Microsoft Graph/Outlook drafts; SHADOWPAD operates custom HTTP/S C2 via IIS relays.
- Lateral Movement: Relay‑enabled pivoting; occasional ransomware side‑effects.
THREAT ACTOR PROFILE: INK DRAGON
- Attribution: PRC‑aligned (MEDIUM confidence).
- Aliases: Earth Alux, Jewelbug, REF7707, CL‑STA‑0049 (per Check Point).
- Observed TTPs: SHADOWPAD IIS relays, PATHLOADER, FINALDRAFT, registry UUID persistence, typosquat domains.
- Target Sectors: Government, diplomacy, foreign policy, telecom.
RISK ASSESSMENT
| Factor |
Rating |
Justification |
| Impact |
HIGH |
Potential theft of sensitive policy documents and the establishment of sustained access within affected environments. |
| Likelihood |
HIGH |
Active campaigns observed targeting organizations in Asia and Europe, indicating continued operational activity. |
| Confidence |
MEDIUM |
Assessment corroborated by multiple security vendors; some technical details and telemetry remain unverified. |
MITIGATION STRATEGIES
Priority 1 (Immediate)
- Ingest vendor STIX/IOC packs (CISA AA25‑239A, Elastic, Trend Micro, Check Point).
- Hunt for SHA256 hashes on endpoints; isolate matches.
- Monitor Graph API/Outlook drafts for unusual token grants or polling.
- Block egress to 45[.]61[.]151[.]12, 103[.]169[.]91[.]231, and other verified IPs.
Priority 2 (Short Term)
- Deploy YARA/EDR rules for SHADOWPAD and FINALDRAFT.
- Add DNS blocklists for parent domains; evaluate sinkholing for epac[.]to.
- Audit IIS/SharePoint modules and enable advanced logging.
Priority 3 (Long Term)
- Implement conditional access and MFA for all OAuth apps.
- Integrate passive DNS and certificate transparency monitoring.
- Restrict Internet‑exposed management services; use VPN+MFA.
DETECTION OPPORTUNITIES
- EDR/YARA: Detect PATHLOADER AES decryption and shellcode.
- SIEM: Correlate Graph token refresh + draft creation + external HTTP retrieval.
- IDS: Flag HTTP beacons to typosquat domains.
EVIDENCE GAPS & LIMITATIONS
- Missing raw enrichment outputs (VirusTotal, Shodan, WhoisXML) prevent numeric validation.
- ASN discrepancies (e.g., 45[.]61[.]151[.]12) require historical verification.
- Vendor naming divergences (Ink Dragon vs Earth Alux vs REF7707) noted.
INDICATORS OF COMPROMISE (DEFANGED)
Domains (confirmed):
poster.checkponit[.]com, support.vmphere[.]com, update.hobiter[.]com
Domains (uncorroborated):
updata.dsqurey[.]com, dscriy.chtq[.]net, sery.brushupdata[.]com, billing.epac[.]to, vsmrcil.casacam[.]net, www[.]cloudvn[.]info, stratorpriv.lubni23[.]com
IPs: 45[.]61[.]151[.]12, 103[.]169[.]91[.]231, 1[.]222[.]84[.]29, 23[.]227[.]202[.]253, 167[.]88[.]173[.]252, 172[.]86[.]106[.]15
Hashes: 2e84ea5c...ff72, e2f6e722...1ffa, f9dd0b57...00c1, 9a11d6fc...853bcf, 39e85de1...59530, 83406905...28cc8c
SOURCES & REFERENCES
- Vendor Reports: Check Point (Ink Dragon / Earth Alux / REF7707), Elastic Security Labs (FINALDRAFT / Graph API C2), Trend Micro, Secureworks, ESET.
- Government: CISA AA25‑239A multi‑agency advisory.
- Feeds: VirusTotal, Shodan, WhoisXML, Protos Threat Feed.
.png)
.png)