Find notable cyber news and cases, enriched with sources, timelines, and signals.

Ink Dragon European government relay-node campaign

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A China-linked group is turning misconfigured European government servers into relay nodes to hide cyber-espionage, expanding the operational footprint and making detection harder. The campaign targets Microsoft IIS and SharePoint systems, then steals credentials and moves laterally with Remote Desktop. It also installs backdoors and long-term access tools to preserve control and repurpose compromised networks. The reuse of victim infrastructure to forward commands and data means affected organizations can become part of a wider attack mesh.

Related Happenings

Cavern Manticore campaign targeting Israeli government and IT organizations

Campaign
H score30 First: 06.07.2026 19:00 Last: 06.07.2026 19:00 Sources 1

About this happening: The **Cavern Manticore** campaign is **targeting Israeli government and IT organizations** since **early 2026**, increasing the risk of **unauthorized access** and **data theft**...

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against **insurance, education, IT, and professional services** organizations, giving operators a stealt...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The **Brickstorm** malware set enabled **UNC5221 / VerdantBamboo** to keep long-term access inside victim infrastructure, including **Microsoft 365**, raising the risk of stealthy...

Timeline

  1. 17.12.2025 11:30 2 articles · 6mo ago

    Ink Dragon relay-node campaign across European government networks

    Campaign Scope Update

    Check Point says Ink Dragon is using misconfigured public-facing servers in European government networks as relay nodes to conceal cyber-espionage activity, after probing Microsoft IIS, SharePoint and other servers for configuration weaknesses. The group is described as stealing credentials, identifying active administrator sessions, reusing shared or replicated service accounts, moving laterally with Remote Desktop, and then mapping the environment, controlling policy settings, and deploying long-term access tools on high-value systems. Check Point also says the group is installing a backdoor and a customized IIS-based module to turn compromised servers into quiet relay points, while a new version of the FinalDraft backdoor is being used for long-term access and to blend into Microsoft cloud activity. The same report says RudePanda entered some of the same European government networks and exploited the same exposed server vulnerability, showing that a single unpatched weakness can support multiple separate campaigns inside the same organization.

    Show sources