China-Linked Ink Dragon Breaches Governments With ShadowPad and FINALDRAFT Malware
Executive Summary
Between July and October 2025, a sophisticated cyber-espionage campaign orchestrated by the China-linked group 'Ink Dragon' (a.k.a. Jewelbug, CL-STA-0049, Earth Alux, REF7707) targeted multiple European, Southeast Asian, and South American governments. The attackers leveraged advanced tools such as ShadowPad and FINALDRAFT malware to infiltrate official networks, move laterally through compromised systems, and exfiltrate sensitive government data via encrypted channels. Their operations exhibited a high degree of stealth, blending custom malware with legitimate administrative tools and exploiting trust in east-west network flows, putting confidential geopolitical and citizen information at direct risk.
This incident underscores the increasing frequency and sophistication of state-sponsored espionage operations against government entities worldwide. It marks a significant trend where threat actors are adopting modular malware and advanced lateral movement techniques, emphasizing the urgent need for stronger east-west security controls and real-time anomaly detection in critical infrastructure.
Why This Matters Now
The Ink Dragon breach highlights the escalating threat from nation-state actors targeting government digital infrastructure with advanced malware and encrypted data exfiltration techniques. As attackers evolve to exploit blind spots in east-west traffic and privileged network access, organizations must rapidly improve segmentation, monitoring, and response capabilities before similar threats escalate beyond the public sector.
Attack Path Analysis
The Ink Dragon threat actor likely initiated access to government cloud environments using spear-phishing or stolen credentials to deploy ShadowPad and FINALDRAFT malware. After foothold, attackers escalated their privileges within cloud services to gain broader permissions. Leveraging internal east-west communications, they maneuvered laterally across workloads, identifying new targets. For command and control, encrypted channels and covert protocols enabled persistent communication with external infrastructure. Sensitive government data was exfiltrated using outbound connections disguised as legitimate traffic. The operation aimed for covert and continuous espionage with minimal direct disruption, but risked long-term impact on data confidentiality and government operations.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained initial access to government cloud environments, likely via spear-phishing, credential theft, or exploitation of exposed remote services.
Related CVEs
CVE-2017-11882
CVSS 7.8A memory corruption vulnerability in Microsoft Office allows remote code execution when the software fails to properly handle objects in memory.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2018-0802
CVSS 7.8A memory corruption vulnerability in Microsoft Office allows remote code execution when the software fails to properly handle objects in memory.
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing
Valid Accounts
Command and Scripting Interpreter
Ingress Tool Transfer
Application Layer Protocol
Obfuscated Files or Information
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Identity Authentication and Access Controls
Control ID: Identity – Authentication and Access Control
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of China-linked Ink Dragon cyber espionage campaign using ShadowPad and FINALDRAFT malware, requiring enhanced encrypted traffic monitoring and zero trust segmentation controls.
Information Technology/IT
Critical infrastructure vulnerabilities exposed through lateral movement attacks, necessitating east-west traffic security, threat detection systems, and inline IPS protection against advanced persistent threats.
Telecommunications
High-value espionage targets vulnerable to encrypted traffic interception and data exfiltration, requiring multicloud visibility, egress security controls, and anomaly detection capabilities for protection.
Financial Services
Elevated cyber espionage risk from state-sponsored actors targeting sensitive financial data, demanding cloud firewall protection, secure hybrid connectivity, and comprehensive threat intelligence integration.
Sources
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malwarehttps://thehackernews.com/2025/12/china-linked-ink-dragon-hacks.htmlVerified
- ShadowPad, Software S0596 | MITRE ATT&CK®https://attack.mitre.org/software/S0596/Verified
- Indian Critical Infrastructure Intrusions, Campaign C0043 | MITRE ATT&CK®https://attack.mitre.org/campaigns/C0043/Verified
- RedEcho, Group G1042 | MITRE ATT&CK®https://attack.mitre.org/groups/G1042/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust Zero Trust segmentation, east-west traffic controls, egress policy enforcement, and visibility offered by CNSF-aligned cloud network controls would have constrained attacker movement, limited C2 activity, and raised detection opportunities early in the kill chain.
Control: Multicloud Visibility & Control
Mitigation: Early detection of abnormal access attempts and policy violations.
Control: Zero Trust Segmentation
Mitigation: Restricted privilege boundaries and identity-based segmentation limit potential for privilege abuse.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized east-west movements between sensitive zones.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unapproved outbound traffic and enforced protocol restrictions.
Control: Encrypted Traffic (HPE)
Mitigation: Visibility into encrypted data flows and enforcement of data-in-transit protection.
Rapid detection and response to ongoing attacker presence and suspicious behaviors.
Impact at a Glance
Affected Business Functions
- Government Operations
- National Security
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive government communications and classified information.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust segmentation and identity-based access controls to restrict lateral movement within cloud environments.
- • Implement continuous east-west traffic monitoring and microsegmentation to detect and prevent unauthorized internal traversal.
- • Enforce strict egress filtering and FQDN-based policy enforcement to block C2 and exfiltration attempts.
- • Utilize centralized multicloud visibility for proactive anomaly detection and real-time threat response.
- • Ensure high-performance, line-rate encryption protects all sensitive data in transit and monitor for unauthorized outbound flows.
