The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America.
Check Point Research is tracking the cluster under the name Ink Dragon. It’s also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023.
“The actor’s campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry,” the cybersecurity company said in a technical breakdown published Tuesday. “This mix makes their intrusions both effective and stealthy.”
Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.”
Details of the threat group first emerged in February 2025 when Elastic Security Labs and Palo Alto Networks Unit 42 detailed its use of a backdoor called FINALDRAFT (aka Squidoor) that’s capable of infecting both Windows and Linux systems. In recent months, Ink Dragon has also been attributed a five-month-long intrusion targeting a Russian IT service provider.
Attack chains mounted by the adversary have leveraged vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons to facilitate command-and-control (C2), discovery, lateral movement, defense evasion, and data exfiltration.
Another notable backdoor in the threat actor’s malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Check Point said it did not encounter the malware in the intrusions and investigations it observed.
“It is possible that the actor selectively deploys tools from a broader toolkit, depending on the victim’s environment, operational needs, and the desire to blend in with legitimate traffic,” Smadja said.
Ink Dragon has also relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers, and then install a custom ShadowPad IIS Listener module to turn these compromised servers into part of its C2 infrastructure and enable them to proxy commands and traffic, improving resilience in the process.
“This design allows attackers to route traffic not only deeper inside a single organization’s network, but also across different victim networks entirely,” Check Point said. “As a result, one compromise can quietly become another hop in a global, multi-layered infrastructure supporting ongoing campaigns elsewhere, blending…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
