AI Detection for ShadowPad and FINALDRAFT Attacks

Most security teams still treat state-sponsored intrusions like a “one-and-done” breach: contain the compromised server, remove the malware, close the ticket. Ink Dragon (also tracked as Jewelbug / Earth Alux / REF7707) breaks that mental model.

Check Point’s latest reporting on Ink Dragon shows a relay-centric architecture where your compromised IIS or SharePoint server can become someone else’s command infrastructure. That’s the part that should make CISOs and SOC leaders sit up—especially heading into year-end change freezes and holiday staffing gaps, when attackers know response times slow down.

This post is part of our AI in Cybersecurity series, and I’ll take a firm stance: AI-driven threat detection is no longer “nice to have” for advanced persistent threats (APTs). When adversaries blend into normal enterprise telemetry, reuse platform-native tools, and chain modular implants like ShadowPad and FINALDRAFT, humans alone can’t reliably spot the pattern in time.

What Ink Dragon’s latest campaign tells defenders

Ink Dragon’s campaign is a clear example of an APT operating with disciplined playbooks: compromise edge-facing systems, establish persistence, escalate privileges, then convert victims into relays. The technical details matter because they map directly to what your detection program should be looking for.

The reported intrusion chain commonly includes:

• Initial access via vulnerable internet-exposed web apps (notably IIS and SharePoint)
• Web shells dropped to maintain foothold and stage payloads
• Additional tooling such as Cobalt Strike and custom loaders
• Credential theft and privilege escalation (LSASS dumping, registry hive theft, NTDS.dit exfil)
• Persistence via scheduled tasks and installed services
• Turning compromised servers into a ShadowPad relay network by adjusting firewall rules and proxying C2 traffic

The big shift is architectural: Ink Dragon collapses the boundary between “victim” and “infrastructure.” That means incident response can’t stop at “remove malware on Host A.” You also need to ask, “Did Host A become a relay node for other operations, and if so, what traffic did it proxy?”

Why their tradecraft is hard to catch with traditional rules

Signatures and one-off IoCs age fast against groups like this. Ink Dragon uses:

• Modular components (multiple loaders and utilities rather than a monolithic implant)
• Living-off-the-land behaviors (blending with legitimate admin tools and normal Windows activity)
• Trusted cloud APIs for C2 in some tooling families (e.g., the broader ecosystem includes API-based approaches)

A rule that says “alert on cdb.exe execution” will drown you in noise in some environments and miss the context in others. What you need is behavior plus relationship: which host executed it, after what precursor event, and how does it connect to identity behavior and network flows over time.

ShadowPad and FINALDRAFT: what makes them dangerous

ShadowPad and FINALDRAFT aren’t scary because they’re “new.” They’re scary because they’re operationally mature and built for long-term access.

ShadowPad: the relay problem (not just the backdoor)

ShadowPad is often discussed as a backdoor, but in this campaign the emphasis is on relay infrastructure. Ink Dragon reportedly installed a custom ShadowPad IIS Listener module on compromised servers to:

• Proxy attacker commands and traffic
• Execute commands locally on the IIS host
• Create resilience by chaining relays across multiple victim networks

That’s how a single compromise can become a node in a multi-layered mesh. If you only focus on eradicating the payload on one server, you risk leaving the broader relay chain intact.

FINALDRAFT: mailbox and Graph-based command execution

The newer FINALDRAFT variant described in the reporting is notable for two reasons:

1. Stealthy C2 using business platforms (Outlook mailboxes and the Microsoft Graph API)
2. A modular command framework, where operators push encoded command documents into a mailbox and the implant pulls, decrypts, and executes them

That design can blend into legitimate SaaS activity if you’re only watching perimeter traffic. It also changes what “network-based detection” even means—you’ll need visibility into identity, mailbox access patterns, and Graph API usage.

If your detection strategy assumes attackers must talk to a sketchy IP over port 443, you’re already behind.

Where AI-driven threat detection fits (and why it works here)

AI helps most when the attacker is intentionally trying to look normal. Ink Dragon’s reported tactics—relay chains, modular loaders, platform-native tooling—are exactly the kind of threats that benefit from AI-driven anomaly detection and behavioral correlation.

1) AI correlation beats siloed alerts

A single event is rarely convincing. A good model connects weak signals across domains:

• A SharePoint/IIS server shows unusual ViewState deserialization patterns
• A web shell is created, followed by new scheduled tasks
• The same host runs atypical processes (debuggers/loaders) and then touches LSASS
• Identity logs show credential reuse or lateral movement over RDP tunnels
• Outbound traffic patterns shift as the host begins acting like a proxy/relay

Humans can find this—after the fact. AI can flag the chain earlier by scoring the sequence.

2) Detect “relay behavior” with sequence and graph analytics

Relay-centric intrusions are a graph problem:

• Which hosts are now forwarding traffic for others?
• Which internal systems are “transit points” for authentication or SMB?
• Which compromised servers are used repeatedly across incidents?

AI techniques like entity graph modeling (hosts, identities, services, mailboxes, API tokens) can highlight when a system begins behaving like infrastructure.

A practical detection idea: train models to identify servers whose outbound connections become more diverse and periodic after compromise, especially when paired with abnormal process trees and privilege events.

3) Use AI to reduce response time, not replace responders

For leads-focused organizations, here’s the honest operational truth: buyers don’t want “AI.” They want fewer 3 a.m. escalations and faster containment.

In this scenario, AI is useful for:

• Auto-triage: cluster alerts into a single incident narrative
• Auto-enrichment: map suspicious activity to MITRE-style techniques (credential dumping, persistence)
• Automated containment suggestions: isolate a server, revoke tokens, disable risky legacy auth paths

When Ink Dragon activity is “still ongoing” and impacts “several dozen victims” across regions, speed becomes a control—not a metric.

Practical controls: how to harden against this exact playbook

You don’t need to predict every variant of ShadowPad or FINALDRAFT to reduce risk. You need to remove the footholds and instrument the behaviors.

Reduce initial access: fix the boring IIS/SharePoint stuff

The campaign highlights two recurring initial access paths: mismanaged ASP.NET machine keys enabling ViewState deserialization attacks, and exploitation of SharePoint flaws like ToolShell.

Action checklist:

1. Inventory all internet-exposed IIS/SharePoint (including “temporary” systems)
2. Rotate and securely manage ASP.NET machine keys; eliminate predictable/publicly disclosed keys
3. Patch SharePoint aggressively and validate that mitigations actually applied
4. Add WAF rules and telemetry for anomalous ViewState payload patterns

Stop privilege escalation: protect LSASS and domain secrets

Ink Dragon’s reported escalation includes LSASS dumps and theft of NTDS.dit and registry hives.

Controls that matter:

• Enable Credential Guard where feasible
• Restrict and alert on LSASS access patterns (process lineage matters)
• Monitor and block suspicious reads of \Windows\NTDS\NTDS.dit
• Reduce Domain Admin usage; enforce tiered admin and short-lived privileged sessions

Kill the “idle DA session” risk

One of the most actionable lessons in the reporting is the abuse of a disconnected but not logged-off Domain Admin session, where LSASS likely retained usable material.

Do this:

• Enforce session timeouts and logoff policies for privileged users
• Monitor for disconnected privileged sessions on critical servers
• Use privileged access management that rotates credentials and limits session persistence

Detect Graph and mailbox-based C2

FINALDRAFT’s reported Graph/Outlook C2 changes the monitoring game.

Detection ideas:

• Baseline Graph API calls by application and identity
• Alert on unusual mailbox access patterns from servers that don’t normally access mail
• Correlate Graph activity spikes with endpoint behaviors (new services, scheduled tasks)

AI helps here by learning “normal” SaaS access for your org and flagging deviations that correlate with endpoint compromise.

“People also ask” (quick answers for busy leaders)

What’s the biggest risk from ShadowPad in this campaign?

Your server can become a relay node, proxying attacker traffic across multiple victim networks, which extends the blast radius beyond your environment.

Why is FINALDRAFT harder to catch than classic C2 malware?

Because it can use Outlook and Microsoft Graph API for command delivery, blending into legitimate enterprise SaaS traffic.

What can AI detect that traditional tools miss?

Sequences and relationships: weak signals across endpoint, identity, and cloud logs that only become suspicious when connected as a timeline.

What should we prioritize first?

Patch and harden internet-facing IIS/SharePoint, lock down credential dumping paths, and deploy detection that correlates endpoint + identity + SaaS.

What to do next if you’re worried you’re already a relay

If you run IIS or SharePoint and you’re not actively monitoring for relay behavior, assume you have blind spots. The next step isn’t panic—it’s a structured hunt.

Start with three questions:

1. Which servers had recent web shell indicators or suspicious scheduled tasks?
2. Which servers show unusual outbound proxy-like traffic patterns post-compromise?
3. Which privileged identities had disconnected sessions or abnormal lateral movement?

Then bring AI into the loop where it belongs: correlating evidence across systems and compressing time-to-truth for analysts.

This series is about the practical side of AI in cybersecurity: using it to catch what humans miss when the signal is faint and the noise is loud. Ink Dragon is a textbook case. If an attacker can turn your server into their infrastructure, the question isn’t whether you need better detection—it’s whether your security program can spot the moment your environment stops being a victim and starts being a platform.