{"id":6247,"date":"2025-12-18T00:25:31","date_gmt":"2025-12-18T00:25:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6247"},"modified":"2025-12-18T00:25:31","modified_gmt":"2025-12-18T00:25:31","slug":"ink-dragon-threat-group-targets-iis-servers-to-build-stealthy-global-network","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6247","title":{"rendered":"\u2018Ink Dragon\u2019 threat group targets IIS servers to build stealthy global network"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A Chinese-linked threat group identified as \u201cInk Dragon\u201d is targeting common weaknesses in Internet Information Services (IIS) servers to build a global espionage network that is difficult to track or disrupt, security vendor Check Point has reported.<\/p>\n<p>Also nicknamed \u201cEarth Alux,\u201d (Trend Mico) and \u201cREF7707\u201d (Elastic Security Labs), the group\u2019s activities date back to early 2023, at which time it targeted governments in Southeast Asia and South America. This has since expanded to target European countries.<\/p>\n<p>Ink Dragon might sound similar in its <em>modus operandi<\/em> to several other Chinese threat groups engaged in nation-state surveillance, such as UNC6384, whose campaigns targeted <a href=\"https:\/\/www.csoonline.com\/article\/4082701\/chinese-hackers-target-western-diplomats-using-hard-to-patch-windows-shortcut-flaw.html\" target=\"_blank\" rel=\"noopener\">European diplomats<\/a>.<\/p>\n<p>However, during a recent investigation at the office of a European government, <a href=\"https:\/\/blog.checkpoint.com\/research\/ink-dragon-expands-with-new-tools-and-a-growing-victim-network\/\" target=\"_blank\" rel=\"noopener\">Check Point said<\/a> it had discovered that the group has now pivoted towards what it called \u201can unusually sophisticated playbook\u201d with longer term goals.<\/p>\n<p>Key to this is IIS, Microsoft\u2019s aging web server platform, which is still present in many networks, especially those in the public sector. This platform holds two attractions: it is widely deployed, and is often misconfigured and insecure.<\/p>\n<p>The campaign begins when attackers compromise an IIS server, gain access to the internal network where they harvest local credentials, study admin sessions, using these and Microsoft Remote Desktop to move laterally without attracting attention. At this point, the group installs a customized IIS module that turns the server into an invisible \u201cquiet\u201d relay inside the group\u2019s wider global infrastructure.<\/p>\n<p>\u201cThese servers forward commands and data between different victims, creating a communication mesh that hides the true origin of the attack traffic,\u201d explain Check Point\u2019s researchers.<\/p>\n<h2 class=\"wp-block-heading\">Shadow infrastructure<\/h2>\n<p>The attack has two goals: to compromise government servers and plunder their networks for intelligence while, secondly, borrowing them to relay attack traffic to and from other compromised servers in a way that makes detecting the group\u2019s command &amp; control (C2) much harder.<\/p>\n<p>This tactic cleverly dodges the problem of having to rely on conventional C2 infrastructure which is vulnerable to takedown and disruption. Instead, the hijacked and trusted government servers become the infrastructure.<\/p>\n<p>\u201cAcross incidents, the same story repeats. A small web facing issue becomes the first step. A series of quiet pivots leads to domain level control. The environment is then repurposed as part of a larger network that powers operations against additional targets,\u201d said Check Point. As to the traffic itself, the group hides communication inside ordinary mailbox drafts, making it look like everyday communication.<\/p>\n<p>Coincidentally, Check Point found that a second Chinese threat group, RudePanda, was simultaneously exploiting IIS weaknesses to compromise government servers. This meant that RudePanda \u201cended up operating in the same [compromised] environments at the same time.\u201d<\/p>\n<p>The discoveries underscore the issue of IIS misconfiguration. Beyond listing the <a href=\"https:\/\/research.checkpoint.com\/2025\/ink-dragons-relay-network-and-offensive-operation\/\" target=\"_blank\" rel=\"noopener\">group\u2019s indicators of compromise (IoCs)<\/a>, Check Points offers no specific advice on how to counter this. Nevertheless, some actions suggest themselves: audit the modules running on IIS against a known good baseline, enable advanced IIS logging, configure IIS to make common view state vulnerabilities less likely, and consider putting IIS servers behind a web application firewall (WAF).<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A Chinese-linked threat group identified as \u201cInk Dragon\u201d is targeting common weaknesses in Internet Information Services (IIS) servers to build a global espionage network that is difficult to track or disrupt, security vendor Check Point has reported. Also nicknamed \u201cEarth Alux,\u201d (Trend Mico) and \u201cREF7707\u201d (Elastic Security Labs), the group\u2019s activities date back to early [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6248,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6247","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6247"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6247"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6247\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6248"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}