"These attacks begin with Ink Dragon probing security weaknesses, such as misconfigured Microsoft IIS and SharePoint servers, to gain access to victims' environments. This tactic, as opposed to abusing zero-days or other high-profile vulnerabilities, helps attackers fly under the radar and reduces their chances of being caught. Ink Dragon then scoops up credentials and uses existing accounts to infiltrate targets, tactics that help the gang blend in with normal network traffic."
"Once Ink Dragon finds an account with domain-level access, the spies set to work establishing long-term access across high-value systems, installing backdoors and implants that store credentials and other sensitive data. In addition to their new targets and relay node activity, Check Point says the cyber spies have also updated their FinalDraft backdoor so that it blends in with common Microsoft cloud activity, hiding its command traffic inside mailbox drafts."
"The campaign has hit "several dozen victims," Check Point Software group manager Eli Smadja told The Register. This includes government entities and telecommunications organizations across Europe, Asia, and Africa. "While we cannot disclose the identities or specific countries of affected entities, we observed the actor beginning relay-based operations in the second half of 2025, followed by a gradual expansion in victim coverage from each relay over time," Smadja said."
Ink Dragon expanded operations into European government and telecommunications networks, compromising servers to create illicit relay nodes used for broader snooping. The campaign affected several dozen victims across Europe, Asia, and Africa and began relay-based operations in the second half of 2025 with gradual expansion from each relay. Attacks start by probing misconfigured Microsoft IIS and SharePoint servers rather than exploiting zero-days, allowing stealthy access. The group harvests credentials and uses existing accounts to blend with normal traffic, then establishes domain-level persistence, installs backdoors and implants, and updated FinalDraft to hide command traffic in mailbox drafts and operate during business hours.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]