Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Check Point Research details a sophisticated, PRC‑aligned espionage cluster called Ink Dragon that exploits ASP.NET ViewState deserialization and recent ToolShell SharePoint flaws to compromise government and public‑sector IIS/SharePoint servers across Southeast Asia, South America, Africa, and increasingly Europe. The actor installs ShadowPad IIS Listener modules to convert victims into a distributed relay (C2) mesh, deploys loaders and credential‑harvesting tools (e.g., LalsDumper, CDBLoader, 032Loader), and uses a refined FinalDraft RAT with Microsoft Graph mailbox C2 for stealthy exfiltration and long‑term persistence; the report includes detailed TTPs, forensic artifacts, and multiple file/hash IOCs.