AI vs Ink Dragon: Detect ShadowPad Relay Attacks

Ink Dragon’s latest wave of intrusions is a reminder that “a breach” isn’t a single event anymore. It’s an ecosystem. When attackers can turn your internet-facing servers into their command infrastructure—then chain that infrastructure across multiple victim organizations—you’re not just cleaning up an incident. You’re dismantling a mesh.

That’s what makes the reported Ink Dragon campaigns so unsettling. The group (also tracked as Jewelbug, CL-STA-0049, Earth Alux, and REF7707) has been linked to government-focused operations across Europe since mid-2025, while still hitting targets in Southeast Asia and South America. Their toolkit isn’t new in the sense of “one shiny backdoor.” It’s more dangerous: a disciplined set of components—web shells, loaders, credential dumping, and resilient command-and-control—stitched together to blend into normal enterprise noise.

Here’s the stance I’ll take: most defenders are still trying to win this fight with rules, not learning. And when your adversary routes traffic through legitimate services, piggybacks on Outlook/Graph, and converts IIS into a ShadowPad relay, rules alone get brittle fast. This is exactly where AI-driven threat detection (done right) earns its keep.

What Ink Dragon’s playbook tells you about modern intrusions

Answer first: Ink Dragon succeeds because it treats your environment as both a target and a platform—using misconfigurations, identity weakness, and “normal-looking” admin activity to hide persistence and movement.

The campaigns described publicly map to a pattern you’ve probably seen in some form:

• Initial access via exposed web apps (IIS/SharePoint and other internet-facing services)
• Web shells to establish a foothold and stage additional tooling
• Follow-on payloads (including Cobalt Strike and malware variants in the VARGEIT/FINALDRAFT family)
• Credential access and privilege escalation (LSASS dumping, registry hive extraction, NTDS theft)
• Persistence through scheduled tasks/services and custom loaders
• Command-and-control that blends in, including a ShadowPad IIS listener and FINALDRAFT’s Graph/Outlook abuse

What’s different is the architecture mindset: a compromised IIS server can become an IIS Listener “node” that relays traffic. That allows the attacker to route operations through a chain of already-breached systems, spreading risk across multiple organizations and making attribution and takedown harder.

The “relay network” shift changes your containment math

Answer first: If a compromised host is also C2 infrastructure, containment isn’t local; you have to hunt for the relay chain.

Traditional incident response often assumes a clean boundary:

• infected endpoint(s) on one side
• attacker infrastructure on the other

Ink Dragon collapses that boundary. One victim becomes a hop to another victim. That creates two operational problems for defenders:

1. Blocking indicators becomes less effective. You may be blocking traffic to another legitimate organization’s server—because that server is now a relay.
2. Eradication can be incomplete even after “cleanup.” If you remove one implant but leave the relay listener or persistence mechanism, the adversary can return without repeating initial access.

ShadowPad + FINALDRAFT: why defenders struggle to spot them early

Answer first: ShadowPad and FINALDRAFT succeed because they combine stealthy execution with communications that can look legitimate, especially in Microsoft-heavy environments.

Ink Dragon’s tooling includes:

• ShadowPad: a modular backdoor ecosystem often associated with sophisticated espionage. In the described intrusions, attackers used a ShadowPad loader and an IIS Listener module to turn servers into relays.
• FINALDRAFT (also known as Squidoor in some reporting): an evolution of earlier variants (including VARGEIT), with a modular command framework and higher-throughput exfiltration.
• Platform-native or “blends-in” techniques: reliance on common admin tooling, scheduled tasks/services, and living-off-the-land behaviors.

The uncomfortable truth about Microsoft Graph as a C2 channel

Answer first: When malware uses Outlook and Microsoft Graph for command-and-control, you can’t treat “Graph traffic” as inherently safe.

FINALDRAFT’s reported approach—operators pushing encoded command documents into a mailbox and the implant pulling, decrypting, and executing them—turns a trusted business channel into a covert pipeline.

That forces a hard conversation: your detection can’t stop at “is it Microsoft?” It has to ask:

• Is this mailbox behavior consistent with the human who owns it?
• Is the access pattern consistent with normal device posture and geography?
• Do message and attachment patterns resemble known command-document formats?
• Is there a correlation between Graph access bursts and endpoint execution events?

This is where AI helps—not because it’s magical, but because humans can’t baseline this across thousands of users and devices in real time.

Where AI-driven threat detection actually helps (and where it doesn’t)

Answer first: AI is most valuable for finding relationships and anomalies across noisy telemetry—exactly the conditions Ink Dragon depends on.

Signature-based detections still matter. But Ink Dragon’s strength is disciplined, quiet operations and reuse of legitimate systems and services. Good AI-assisted security programs focus on behavior and relationships, not just file hashes.

Here are high-signal detection opportunities where AI consistently performs better than static rules:

1) Detecting “impossible” identity + endpoint pairings

Answer first: AI can flag access patterns that don’t fit a user’s historical behavior, even when credentials are valid.

In several campaigns like this, the most damaging phase comes after credential access—RDP tunneling, token reuse, SMB operations, and directory database theft. AI models trained on your environment can highlight:

• unusual RDP session patterns (time-of-day, source host, lateral targets)
• rare admin share writes (C$, ADMIN$) from unexpected machines
• spikes in authentication failures followed by success via fallback mechanisms
• rare combinations: a specific user + a specific server role + a new client process chain

2) Catching IIS and SharePoint behaviors that “look like admin work”

Answer first: AI can separate legitimate maintenance from malicious changes by looking at sequence and context.

Ink Dragon reportedly abused predictable or mismanaged ASP.NET machine keys and SharePoint exploit paths to plant web shells and install an IIS listener module. The resulting changes can appear administrative:

• new or modified IIS modules
• configuration changes
• unexpected assemblies or binaries
• firewall rule modifications enabling outbound traffic

A rule might alert on “IIS config changed.” That’s noisy. AI correlation can say: “IIS module change followed by outbound beacon-like traffic followed by LSASS access attempts” and raise the severity immediately.

3) Identifying relay behavior across hosts

Answer first: Relay networks leave traffic fingerprints—AI is good at spotting them when you model flows, not just events.

Relays often produce:

• consistent outbound connections from servers that previously had none
• repeating timing patterns (beacon intervals) even when destinations vary
• inbound requests that don’t match the server’s business role
• traffic “hairpins” where a server forwards traffic between unrelated networks

Graph-based AI (entity relationship models) can map host ↔ host ↔ identity ↔ process ↔ external endpoint relationships to detect “this server is acting like infrastructure.”

Where AI doesn’t save you

AI won’t fix:

• unpatched internet-facing apps
• exposed admin interfaces
• weak credential hygiene
• lack of segmentation
• missing or misconfigured logging

If telemetry is incomplete, AI just gets confidently blind.

A practical defensive plan for Ink Dragon-style campaigns

Answer first: The fastest path to resilience is to harden exposed services, tighten identity controls, and use AI-assisted correlation to spot stealthy lateral movement early.

Here’s what I recommend teams prioritize—especially during the late-December change-freeze season when attackers assume response will be slower.

1) Lock down IIS/SharePoint attack surface

• Inventory all internet-facing IIS/SharePoint instances and confirm ownership.
• Rotate and securely manage ASP.NET machine keys; eliminate reused or public values.
• Enforce patch SLAs for SharePoint and related components.
• Monitor for web shell patterns: unusual .aspx writes, suspicious directories, and anomalous child processes of w3wp.exe.

2) Treat service accounts and admins as high-risk assets

• Require phishing-resistant MFA for privileged roles.
• Reduce standing privileges; use just-in-time elevation.
• Audit RDP exposure and enforce strict host allowlists.
• Alert on disconnected-but-not-logged-off admin sessions (they’re token gold).

3) Add AI-driven correlation for “attack sequences,” not single alerts

If you only take one idea from this post, take this:

The best detections identify a story: access → execution → credentialing → movement → persistence.

Operationally, that means configuring your detections to correlate:

• SharePoint/IIS exploit signals
• process anomalies (w3wp.exe spawning shells, debugger use like cdb.exe in strange contexts)
• LSASS access, dump creation, or suspicious handle requests
• scheduled task/service creation + immediate outbound traffic
• Graph/Outlook mailbox access bursts aligned with endpoint execution

4) Practice “relay-aware” incident response

• Assume compromised servers may be used as relays; look for listener modules and proxy logic.
• Hunt laterally for identical persistence patterns across separate business units.
• Validate outbound firewall changes and baseline server egress.
• Include cross-org coordination plans (legal/comms) because relay traffic can touch partners.

People also ask: could AI have stopped Ink Dragon earlier?

Yes—if it’s deployed against the right signals. AI is most effective here in three places:

1. Early foothold detection: spotting exploit-to-web-shell sequences on IIS/SharePoint.
2. Identity anomaly detection: token reuse, RDP tunneling patterns, and unusual admin share operations.
3. C2 camouflage detection: Graph/Outlook misuse and relay traffic modeling.

No—if AI is just a checkbox. If you’re feeding it low-fidelity logs, or if it’s isolated from your endpoint and identity telemetry, it’ll miss the connective tissue that makes this campaign detectable.

The real lesson: modern defenders need speed and synthesis

Ink Dragon’s strength isn’t only the malware. It’s the workflow: exploit quickly, establish persistence quietly, move laterally with stolen tokens, and blend command traffic into services defenders are reluctant to block.

AI in cybersecurity matters here because it does what humans can’t do at scale: connect weak signals into a clear narrative while the intrusion is still in progress.

If you’re responsible for government or enterprise security, the next step is straightforward: evaluate whether your current program can (1) detect exploit-to-persistence chains on exposed servers, (2) catch identity misuse that still “looks valid,” and (3) identify relay behavior that turns victims into infrastructure.

If it can’t, what would it take to get there before the next ShadowPad-style relay network takes root in your environment?