Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ink Dragon European government relay-node campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

A China-linked group is turning misconfigured European government servers into relay nodes to hide cyber-espionage, expanding the operational footprint and making detection harder. The campaign targets Microsoft IIS and SharePoint systems, then steals credentials and moves laterally with Remote Desktop. It also installs backdoors and long-term access tools to preserve control and repurpose compromised networks. The reuse of victim infrastructure to forward commands and data means affected organizations can become part of a wider attack mesh.

Related Happenings

Microsoft Defender for Endpoint automatic endpoint isolation preview

Security Tool/Service
First: 26.05.2026 15:19 Last: 26.05.2026 15:19 Sources 1

About this happening: Microsoft is previewing **automatic isolation** for compromised endpoints in **Defender for Endpoint**, reducing **lateral movement** risk on managed workstations. The capability...

Open Happening

Webworm multi-country targeting campaign against government and enterprise victims

Campaign
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...

Open Happening

GopherWhisper China-aligned APT campaign targeting Mongolian government institutions

Campaign
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...

Open Happening

Mustang Panda multi-country espionage campaign against government and telecom targets

Campaign
First: 28.01.2026 13:40 Last: 28.01.2026 13:40 Sources 1

About this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...

Open Happening

Jewelbug campaign expands across multiple victims

Campaign
First: 17.12.2025 13:12 Last: 17.12.2025 13:12 Sources 1

About this happening: The **Jewelbug / Ink Dragon** intrusion campaign remains **active**, with **several dozen victims** across **Europe, Asia, and Africa** and a recent emphasis on **government entit...

Open Happening

Timeline

  1. 17.12.2025 11:30 2 articles · 5mo ago

    Ink Dragon relay-node campaign across European government networks

    Campaign Scope Update

    Check Point says Ink Dragon is using misconfigured public-facing servers in European government networks as relay nodes to conceal cyber-espionage activity, after probing Microsoft IIS, SharePoint and other servers for configuration weaknesses. The group is described as stealing credentials, identifying active administrator sessions, reusing shared or replicated service accounts, moving laterally with Remote Desktop, and then mapping the environment, controlling policy settings, and deploying long-term access tools on high-value systems. Check Point also says the group is installing a backdoor and a customized IIS-based module to turn compromised servers into quiet relay points, while a new version of the FinalDraft backdoor is being used for long-term access and to blend into Microsoft cloud activity. The same report says RudePanda entered some of the same European government networks and exploited the same exposed server vulnerability, showing that a single unpatched weakness can support multiple separate campaigns inside the same organization.

    Show sources
    Open in new tab