China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware

Hold up — a China-aligned threat actor called Ink Dragon is going global, hitting government and telecom networks across Europe, Asia, and Africa with some nasty malware. They're deploying ShadowPad and FINALDRAFT to infiltrate systems, and it's not their first rodeo.

Ink Dragon (aka RedHotel, TAG-74, or Earth Lusca) has been active since at least 2021, targeting sectors like government, education, and telecom. They're known for using custom malware and living-off-the-land techniques to stay under the radar.

The group's latest campaign uses a multi-stage attack chain. They start by exploiting vulnerabilities in public-facing servers (like IIS or SharePoint) to drop web shells. Then, they deploy ShadowPad — a modular backdoor that's been around since 2017 and is linked to Chinese APT groups. ShadowPad lets them execute commands, exfiltrate data, and move laterally.

But wait, there's more. They also use FINALDRAFT, a newer malware that acts as a downloader for additional payloads. It's designed to evade detection by using legitimate Windows processes and encrypted communication with C2 servers.

Ink Dragon doesn't stop there. They use tools like Cobalt Strike for post-exploitation, credential dumping, and lateral movement. They also abuse legitimate admin tools (think PsExec, WMI) to blend in with normal network traffic.

The targets? Government agencies, telecom providers, and educational institutions in multiple regions. The group's infrastructure includes compromised servers and domains that mimic legitimate services to avoid suspicion.

Why should you care? Ink Dragon is part of a larger trend of state-aligned cyber espionage groups targeting critical infrastructure. Their use of advanced, persistent techniques means they can stay hidden for months, stealing sensitive data and potentially disrupting services.

Defenders need to patch public-facing servers, monitor for unusual network activity, and implement strong access controls. ShadowPad and FINALDRAFT indicators of compromise (IOCs) are available for threat hunting.