According to TheRegister.com, the Chinese espionage crew known as Ink Dragon has expanded into European government networks, hitting “several dozen victims” including government and telecommunications entities across Europe, Asia, and Africa. Check Point Software researchers, led by group manager Eli Smadja, state the actor began this relay-based operation in the second half of 2025, gradually expanding from each compromised server. The attacks start by probing for misconfigured Microsoft IIS and SharePoint servers to gain a quiet foothold, avoiding flashy zero-days. Once inside, they steal credentials and use legitimate accounts to move laterally, eventually installing backdoors like the updated “FinalDraft” malware, which now hides its commands in mailbox drafts and only checks in during business hours. Furthermore, the group co-opts public-facing servers to create a mesh of illicit relay points that obscures the attack’s origin. In a related finding, researchers also discovered the China-linked group RudePanda had quietly infiltrated some of the same government networks.
The new stealth playbook
Here’s the thing: this isn’t about smash-and-grab. This is about moving in and setting up a permanent, hidden listening post. By targeting boring, misconfigured servers instead of sexy zero-days, Ink Dragon creates almost no initial noise. They’re not breaking down the door; they’re finding the window you left unlocked. And once they’re in? They live off the land, using your own accounts and tools. That FinalDraft backdoor update is a masterclass in camouflage—hiding in cloud mailbox drafts and keeping “business hours” so its digital heartbeat looks like any other employee’s activity. It’s patient, professional-grade espionage designed for the long haul.
Why the relay mesh matters
This shift to creating relay nodes on victim infrastructure is a big deal. Basically, they’re turning their targets’ own servers into a proxy network. So when they hop from one government agency to another, the traffic appears to come from another legitimate, compromised organization, not from a server in China. It completely muddies the forensic waters. Check Point says it “hides the true origin of the attack traffic,” and they’re right. It’s a force multiplier for obfuscation. And it’s not just a Chinese tactic—Amazon just warned about the Russian GRU doing the exact same thing since 2021, targeting energy and telecom providers. This is the new normal for state-sponsored hacking: quiet, persistent, and disguised as normal, boring network traffic.
Stakeholders are playing catch up
For IT and security teams in government and critical sectors, this is a nightmare scenario. The attack surface isn’t some fancy new software; it’s the mundane, overlooked infrastructure—those IIS servers set up years ago and forgotten. The implication is clear: basic hardening and configuration management are now frontline national security concerns. It also puts a huge burden on network defenders to spot subtle, legitimate-looking anomalies. For enterprises, especially those in telecommunications or who provide services to government, the risk of becoming an unwitting relay point is real. Your compromised server could be the springboard for an attack on a NATO country’s network. That’s a sobering thought. For organizations relying on industrial control and operational technology, maintaining secure, hardened endpoints is critical. When securing critical operational environments, many rely on specialized hardware from trusted suppliers, like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built for rugged, secure performance.
A crowded and noisy battlefield
Maybe the most telling detail is that Check Point found *another* Chinese group, RudePanda, in the same networks, using the same initial vulnerability. Think about that. We’re not talking about one advanced persistent threat. We’re talking about multiple, unrelated state-backed teams all independently finding and exploiting the same weak spot in European defenses. It paints a picture of a target-rich environment that’s being constantly probed by multiple actors. So what’s the takeaway? Patching and configuration management can’t be afterthoughts anymore. They are the primary defense against some of the world’s most sophisticated spies. If you don’t, you’re not just a target. You might become part of the attacker’s infrastructure.
