TZUTC: -0500   
   MSGID: 1850.consprcy@1:2320/105 2da965f9   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Experts warn Chinese "Ink Dragon" hackers extend reach into European   
   governments   
      
   Date:   
   Wed, 17 Dec 2025 15:20:00 +0000   
      
   Description:   
   Several dozen entities were recently targeted with an updated backdoor.   
      
   FULL STORY   
      
   Ink Dragon, a known Chinese state-sponsored threat actor, has extended its   
   reach into European governments, using misconfigured devices for initial   
   entry, and establishing persistence by blending with regular traffic, experts   
   have warned.    
      
   A report from cybersecurity researchers Check Point Software claims the   
   attackers are using Microsoft IIS and SharePoint servers as relay nodes for   
   future operations.    
      
   "This stage is typically characterized by low noise and spreads through   
   infrastructure that shares the same credentials or management patterns,"    
   Check Point's researchers said.   
      
   For initial access, the group does not abuse zero-day, or other   
   vulnerabilities, as that would most likely trigger security solutions and   
   alarms. Instead, they probe the servers for weaknesses and misconfigurations,   
   successfully flying under the radar.    
      
   After finding an account with domain-level access, the group expands to other   
   systems, installs backdoors and other malware, establishes long-term access   
   and exfiltrates sensitive data.    
      
   In their toolbox, Ink Dragon has a backdoor called FinalDraft, which was   
   recently updated to blend with common Microsoft cloud activity. It was said.   
   Its C2 traffic is usually left in the drafts folder of an email account.    
   Whats also interesting is that the malware only works during regular business   
   hours, when the traffic is greater and when its more difficult to spot any   
   suspicious activity.    
      
   Finally, once the attackers secure persistent access to compromised servers,   
   they repurpose the victims infrastructure by installing custom IIS-based   
   modules on internet-facing systems, turning them into relay points for their   
   malicious operations.    
      
   Check Point could not name the victims, for obvious reasons, but it did    
   reveal several dozens entities were hit, including government organizations   
   and telecommunications companies in Europe, Asia, and Africa.    
      
   "While we cannot disclose the identities or specific countries of affected   
   entities, we observed the actor beginning relay-based operations in the    
   second half of 2025, followed by a gradual expansion in victim coverage from   
   each relay over time," the researchers said.    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/experts-warn-chinese-ink-dragon-hackers   
   -extend-reach-into-european-governments   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426