A Chinese cyber-espionage group called Ink Dragon is transforming compromised servers into active communication nodes using sophisticated relay architecture. Their expansion into European government targets highlights the evolving threat landscape and the importance of patching vulnerabilities. #INKDRAGON #ShadowPad
Keypoints
- Ink Dragon, also known as APT41 affiliates, has expanded its operations into Europe.
- The group uses a custom ShadowPad IIS Listener module to turn servers into active nodes.
- They exploit known vulnerabilities in IIS and ASP.NET misconfigurations for initial access.
- The attack infrastructure routes C2 traffic through multiple victims, hiding their true location.
- Their focus on government targets in Europe indicates a broader intelligence-gathering mission.