The China-linked advanced persistent threat (APT) group known as Ink Dragon has evolved its tradecraft by systematically converting compromised victim environments into relay-based command-and-control (C2) infrastructure, according to recent threat intelligence research.

Rather than relying on attacker-owned servers, Ink Dragon increasingly repurposes victim systems to act as operational nodes—a tactic that improves resilience, complicates attribution, and reduces the group’s infrastructure exposure.

Operational shift: victim-as-infrastructure

Ink Dragon’s newer campaigns demonstrate a deliberate shift from traditional data-theft-centric intrusions toward infrastructure reuse. Once initial access is obtained, compromised servers are not immediately leveraged for espionage objectives. Instead, they are outfitted with stealthy listener and proxy components that enable them to function as C2 relays.

These relay nodes are used to:

• Proxy attacker traffic to downstream victims
• Forward tasking and exfiltration data
• Obfuscate true C2 endpoints behind trusted enterprise IP space

This design allows Ink Dragon to chain multiple victim environments together, forming a distributed and transient relay network that blends into legitimate organizational traffic patterns.

Initial access and persistence mechanisms

Initial access has been observed primarily through exposed and misconfigured Microsoft IIS and SharePoint servers, often lacking recent patches or hardened configurations. Following compromise, Ink Dragon deploys custom malware components, including ShadowPad-derived IIS modules, which register as legitimate server extensions.

These modules provide:

• Persistent access through the web server execution context
• Encrypted inbound and outbound communication channels
• On-demand proxying functionality without overt beaconing

Because the malware operates inside legitimate web services, detection via standard endpoint telemetry is significantly degraded.

Tooling and malware ecosystem

Ink Dragon maintains a modular malware stack that supports relay-centric operations. Key tooling observed includes:

• ShadowPad variants configured as passive listeners rather than active implants
• FinalDraft backdoor variants capable of blending C2 traffic into enterprise cloud or HTTPS workflows
• Credential reuse and service account abuse to maintain low-noise lateral access

Notably, some relay nodes appear to be maintained long-term, suggesting that infrastructure value may outweigh direct intelligence collection in certain intrusions.

Targeting and victimology

Recent activity indicates a strategic focus on European government and public-sector organizations, with additional targeting observed in Southeast Asia and South America. Victims are often selected not only for the data they possess, but for their network trust relationships and geographic placement, which enhance their usefulness as relay infrastructure.

In some cases, victim environments showed minimal data staging or exfiltration activity, reinforcing the assessment that their primary role was operational support rather than espionage collection.

Defensive implications

Ink Dragon’s approach presents several challenges for defenders:

• C2 traffic originates from legitimate, trusted networks
• Relay nodes may exhibit minimal post-compromise activity
• Takedown efforts risk disrupting legitimate services
• Attribution becomes more complex as infrastructure is shared across victims

Traditional IOC-based detection is insufficient. Effective defense requires:

• Web server module integrity monitoring
• Behavioral analysis of proxy and relay activity
• Anomalous east-west traffic inspection
• Long-term persistence hunting in public-facing services

Strategic significance

The victim-as-infrastructure model reflects a broader trend among mature nation-state actors toward low-visibility, high-durability operations. By externalizing infrastructure risk onto compromised organizations, Ink Dragon increases operational survivability while reducing exposure to sinkholing and takedowns.

This evolution underscores the need for defenders to treat compromised systems not only as victims, but as potential attack platforms embedded within their own trust boundaries.