The Reveal Platform
Intel Name: Inside ink dragon: revealing the relay network and inner workings of a stealthy offensive operation
Date of Scan: December 25, 2025
Impact: High
Summary: Operation highlights how the Chinese-linked threat actor Ink Dragon is expanding and refining its cyber-espionage campaigns. The group has shifted increased attention toward European government targets while maintaining activity in Southeast Asia and South America. Ink Dragon uniquely turns compromised servers into a victim-based relay network using a custom ShadowPad IIS Listener, effectively making targets part of its command-and-control infrastructure. Despite widespread awareness, the actor continues to exploit long-known IIS and SharePoint misconfigurations for initial access. At the same time, Ink Dragon is evolving its capabilities with a new, stealthier FinalDraft malware variant and advanced techniques for evasion, lateral movement, and large-scale data exfiltration.
