Jewelbug campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The Jewelbug / Ink Dragon intrusion campaign remains active, with several dozen victims across Europe, Asia, and Africa and a recent emphasis on government entities in Europe. The operation still targets telecommunications organizations and other entities across multiple regions, making it a sustained multi-victim threat rather than a one-off intrusion. Its persistence matters because the cluster uses web shells, ShadowPad, and FINALDRAFT-related tooling to maintain access, move laterally, and support data exfiltration.
Related Happenings
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor Meta
H score26
First: 07.07.2026 17:00
Last: 07.07.2026 17:00
Sources 1
About this happening:
**Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor MetaAbout this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
Campaign
H score42
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
About this happening:
The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
CampaignAbout this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
H score32
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Red Menshen telecom espionage campaign
Campaign
H score33
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
DarkSword operators phishing and watering-hole campaign
Campaign
H score89
First: 18.03.2026 23:15
Last: 18.03.2026 23:15
Sources 1
About this happening:
**DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
DarkSword operators phishing and watering-hole campaign
CampaignAbout this happening: **DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...
Timeline
-
17.12.2025 13:12 2 articles · 6mo ago
Ink Dragon campaign spans multiple regions and sectors
Campaign Scope UpdateCheck Point Research tracks Jewelbug as Ink Dragon, a China-aligned cluster active since at least March 2023 that has increasingly focused on government targets in Europe since July 2025 while still targeting Southeast Asia and South America. The campaign has impacted several dozen victims, including government entities and telecommunications organizations across Europe, Asia, and Africa, and uses vulnerable internet-exposed web applications, web shells, ShadowPad, FINALDRAFT, and related tooling to support command-and-control, lateral movement, defense evasion, and data exfiltration.
Show sources
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12
- China-Linked Ink Dragon Hacks Governments Using ShadowPad and FINALDRAFT Malware — thehackernews.com — 17.12.2025 13:12