Threat Research

Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Checkpoint
Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Check Point Research attributes a sustained espionage campaign to the Chinese-aligned cluster Ink Dragon that exploits ASP.NET ViewState deserialization and ToolShell SharePoint vulnerabilities to gain initial access and then deploys ShadowPad IIS listener modules and FinalDraft implants to build a distributed relay and cloud-backed C2 fabric. The operator harvests credentials (LSASS dumps, IIS worker accounts), uses RDP/SMB lateral movement, DLL sideloading, debugger-based loaders, scheduled tasks/services for persistence, and turns victims into active C2 relay nodes. #InkDragon #ShadowPad

Keypoints

  • Ink Dragon exploits predictable ASP.NET machineKey/ViewState deserialization and the ToolShell SharePoint vulnerability for initial unauthenticated remote code execution and web shell deployment.
  • Attackers deploy a ShadowPad IIS Listener Module that registers URL prefixes via HttpAddUrl to intercept HTTP(S) traffic, decrypt commands, and create a distributed relay network that forwards traffic between compromised victims.
  • The actor converts compromised servers into persistent C2/relay nodes while also running full backdoor functionality (file operations, process/service control, reconnaissance) on those hosts.
  • Post-exploitation uses include credential harvesting (LSASS dumping with LalsDumper), RDP tunneling/proxying, SMB-based propagation, debugger-hosted loaders (cdb.exe), and DLL sideloading triads to execute payloads in memory.
  • Persistence and evasion techniques observed: scheduled tasks (e.g., SYSCHECK), disguised Windows services, signed-but-misused binaries, direct syscalls, and security-control downgrades (DisableRestrictedAdmin, DisableRunAsPPL).
  • FinalDraft variants use Microsoft Graph/Outlook (COutlookTrans) as a cloud-backed C2/exfiltration channel, support granular beacon scheduling, RDP-history harvesting, and high-throughput background file transfer.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Used for initial access via ViewState deserialization and SharePoint ToolShell exploits to achieve RCE. (‘…exploitation of ASP.NET ViewState deserialization via publicly disclosed machine keys.’ )
  • [T1505.003 ] Web Shell – Web shell deployment observed on vulnerable SharePoint/IIS servers after exploitation. (‘…unauthenticated remote code execution and web shell deployment on vulnerable servers.’ )
  • [T1078 ] Valid Accounts – Harvesting and reuse of IIS worker/app-pool credentials and other service accounts to authenticate across sibling hosts. (‘…IIS worker/app-pool account password or other local secrets that carry elevated rights…’)
  • [T1003.001 ] LSASS Memory – Operators created compressed LSASS dumps via LalsDumper to extract NTLM hashes and Kerberos material for offline cracking and reuse. (‘…create LSASS dumps and extract registry hives (SAM, SYSTEM) into ProgramData or user-profile directories for offline cracking.’ )
  • [T1134 ] Access Token Manipulation – Extraction and reuse of authenticated tokens from idle RDP sessions to perform authenticated SMB operations and access privileged resources. (‘…extracted the token (and possibly the NTLM key material), and reused it to perform authenticated SMB operations.’ )
  • [T1021.001 ] Remote Services (RDP) – Tunneling and proxying RDP traffic for interactive lateral movement and session hijacking. (‘…tunnel RDP traffic to reach internal hosts from a remote workstation, exposing their machine names and enabling direct, interactive sessions…’ )
  • [T1021.002 ] SMB – Lateral propagation and payload staging using native Windows file shares and SMB to copy triad payloads and create services/scheduled tasks. (‘…stage a resilient implant… propagate it using native protocols such as SMB.’ )
  • [T1543.003 ] Create or Modify System Process: Windows Service – Installing disguised Windows services (e.g., WindowsTempUpdate) to ensure loader execution as SYSTEM. (‘…installed services to launch their loaders as persistent system services…’)
  • [T1053.005 ] Scheduled Task/Job – Use of one-shot and scheduled tasks (e.g., SYSCHECK) to bootstrap re-execution while minimizing noisy callbacks. (‘…created tasks with benign-looking names (notably SYSCHECK) set to run under SYSTEM…’)
  • [T1574.001 ] DLL Side-Loading – Triad sideloading structure (EXE + malicious DLL + encrypted TMP) where legitimate executables load malicious DLLs that decrypt and run payloads in memory. (‘…recurring triad sideloading structure: an executable, a malicious DLL, and an encrypted TMP payload.’ )
  • [T1218 ] Signed Binary Proxy Execution – Abusing signed utilities (cdb.exe) as execution hosts to run scripted memory patches and shellcode, reducing on-disk indicators. (‘…leveraging the Microsoft debugger (cdb.exe) as an execution host.’ )
  • [T1055 ] Process Injection – Memory-patch/write-bytes techniques and shellcode injection used by debugger scripts and loaders to map and execute payloads in-process. (‘…contains a sequence of memory-edit / write-bytes commands followed by a change to the instruction pointer… shellcode… loads the real payload into memory for execution.’ )
  • [T1071.001 ] Application Layer Protocol: Web Protocols – ShadowPad IIS Listener and other C2 channels use HTTP(S) endpoints and registered URL prefixes (HttpAddUrl) for covert communication. (‘…register new URL listeners directly through the HttpAddUrl API…’)
  • [T1041 ] Exfiltration Over C2 Channel – FinalDraft and BackgroundFileTransfer stream and exfiltrate data via cloud-backed channels and C2 messaging (mail drafts via Microsoft Graph). (‘…BackgroundFileTransfer introduces a dedicated asynchronous worker for large-scale exfiltration…’ and ‘FinalDraft uses the Microsoft Graph API… to hide command-and-control traffic inside legitimate cloud mail flows.’ )
  • [T1562.001 ] Disable or Modify Security Tools – Commands that weaken host defenses and protections (DisableRunAsPPL, DisableRestrictedAdmin, DisableTokenFiltering) to enable tampering and lateral actions. (‘…DisableRestrictedAdmin… DisableTokenFiltering… DisableRunAsPPL…’)

Indicators of Compromise

  • [File Hash ] Malware/component hashes recovered from incidents – f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1 (wingtb.sys), f094ff83d4b7d06bc17b15db7d7dc0e622778b0eda71e8fc9fdf7db83c460426 (nfdp.dll), f438ca355e6888c4c9cd7287b22cfe5773992ef83f0b16e72fb9ae239d85586c (FinalDraft), and other hashes from the report.
  • [File Name ] Malicious files and artifacts observed on disk – wingtb.sys (kernel driver), nfdp.dll / fdp.dll (SSP/LSASS loader components) and renamed loader executables (e.g., conhost.exe used as a staged loader).
  • [Domain / URL ] Cloud and token endpoints used for C2/exfil – https://login.microsoftonline.com/common/oauth2/token (Microsoft Graph/Outlook token endpoint used by FinalDraft).
  • [Config / Loader artifacts ] On-disk configuration and loader files tied to execution chains – config.ini (cdb loader script), wmsetup.log (AES-encrypted payload blob used by cdb loader), and rtu.txt (payload reference used by LalsDumper).

Read more: https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint