AI vs ShadowPad: Detecting Ink Dragon Intrusions

A single compromised IIS or SharePoint server can now do double duty: it’s your infrastructure, and it’s their command network. That’s the uncomfortable lesson from the latest reporting on the China-aligned cluster variously tracked as Ink Dragon / Jewelbug / CL-STA-0049 / Earth Alux / REF7707—an actor that’s been active since at least 2023 and has increasingly focused on European government targets since July 2025.

What makes this campaign worth studying isn’t just the malware names (ShadowPad, FINALDRAFT). It’s the architecture: attackers turning breached servers into a relay mesh that routes command-and-control across victim environments, blurring the line between “breach” and “infrastructure.” If your security program is still built around static indicators and perimeter-only thinking, you’re playing the wrong sport.

This post is part of our AI in Cybersecurity series, and I’m going to take a clear stance: AI-driven threat detection and behavioral analysis aren’t optional anymore for government and enterprise SOCs—they’re the practical way to keep up when attackers hide inside normal admin activity, cloud APIs, and “legitimate” server traffic.

What Ink Dragon’s campaign tells us about modern APTs

Ink Dragon’s operational model is simple to describe and painful to defend against: gain access through exposed enterprise services, establish stealthy persistence, harvest credentials, then repurpose systems as stepping stones for future operations.

The reported activity shows a repeatable chain that defenders should recognize:

• Initial access via vulnerable, internet-exposed web applications (notably IIS/SharePoint paths)
• Web shells to maintain an interactive foothold
• Follow-on payloads for command-and-control, discovery, lateral movement, and data theft (including well-known tools like Cobalt Strike)
• Credential theft and privilege escalation, including LSASS dumping and domain database theft
• Persistence through scheduled tasks, services, and multi-stage loaders
• Relay infrastructure built from compromised IIS servers (ShadowPad listener modules turning victims into C2 proxies)

The reality? This is what a disciplined APT looks like in 2025: not one magic backdoor, but a toolkit and a playbook.

Why the “relay mesh” design changes the defense game

The most consequential detail is the use of compromised IIS servers as ShadowPad relay nodes. In plain terms:

A breach in one organization can become a stealthy transit point to operate against other organizations.

This creates three defensive problems at once:

1. Attribution and tracking get harder because traffic appears to originate from legitimate organizations.
2. Eradication gets harder because removing a single implant doesn’t dismantle the operator’s broader routing chain.
3. Detection gets harder because relays can make attacker traffic look like “normal” web/server communication.

If your SOC measures success by “we blocked known bad domains” or “EDR didn’t alert,” you can still lose—quietly.

ShadowPad + FINALDRAFT: why signature-based detection falls behind

ShadowPad and FINALDRAFT aren’t scary because they’re exotic. They’re scary because they’re built to survive enterprise defenses through modularity, memory execution, and abuse of trusted services.

Ink Dragon has been tied to multiple components and loaders, including:

• ShadowPad loader/core module, decrypted and executed in memory
• CDBLoader, using Microsoft’s cdb.exe debugger to execute shellcode and load encrypted payloads
• Credential dumping tooling (e.g., LSASS dump components)
• FINALDRAFT (an evolved variant of earlier tooling described as VARGEIT), used for remote administration and command execution

The reported FINALDRAFT evolution matters: “newer, more advanced,” with enhanced stealth and higher exfiltration throughput. Translation: the actor is optimizing for (1) staying hidden and (2) stealing more, faster.

Cloud APIs as C2: the part defenders underestimate

One of the most defender-hostile patterns in this cluster is abuse of legitimate APIs for command-and-control—specifically Outlook and Microsoft Graph workflows where operators push encoded command documents into a mailbox, and the implant pulls and executes them.

That causes a predictable SOC failure mode:

• Security teams see “Microsoft 365 activity” and assume it’s benign.
• Network controls see “Microsoft endpoints” and allow it.
• Legacy detections miss it because there’s no obviously malicious domain or weird port.

This is exactly where AI-powered anomaly detection earns its keep: it can model normal mailbox/API access patterns (per user, per host, per service account) and flag the odd combinations that humans rarely spot in time.

Three signs your environment might be hosting a ShadowPad relay

You rarely catch campaigns like this by finding a single “bad file hash.” You catch them by spotting behavior that doesn’t fit. Here are three practical signals defenders can operationalize.

1) IIS/SharePoint hosts suddenly behaving like network brokers

If a server that should mostly serve internal apps starts showing patterns consistent with proxying—new outbound connections, unusual destination diversity, or traffic bursts at odd hours—treat it as a potential relay.

What to look for:

• New or increased outbound traffic from IIS servers that historically had limited egress
• Connections that resemble “hop” behavior (server-to-server chaining)
• Repeated short sessions to many destinations (mesh-like routing)

AI helps here by baselining “normal” for each server role. A finance SharePoint server should not look like an egress gateway.

2) ViewState deserialization and machine key abuse patterns

Ink Dragon has been reported using predictable or mismanaged ASP.NET machine keys to perform ViewState deserialization attacks against vulnerable IIS and SharePoint servers.

What to look for:

• Repeated failed/suspicious requests targeting ASP.NET ViewState parameters
• Signs of tampered ViewState payloads or atypical parameter lengths
• Post-exploitation artifacts: unusual modules, new listeners, or unexpected changes in IIS configuration

AI-based web analytics can reduce noise by clustering “normal” request patterns and highlighting payload outliers that don’t match typical application usage.

3) Credential theft followed by “quiet admin” lateral movement

One of the most damaging steps described is attackers obtaining SYSTEM access, extracting credentials/tokens, and then performing authenticated operations like SMB writes and domain database exfiltration.

What to look for:

• LSASS access/dumps followed by administrative share writes (C$, ADMIN$)
• Unusual RDP tunneling behavior or RDP session anomalies
• NTDS.dit access patterns or registry hive extraction events

AI-driven behavioral analytics can correlate these actions across time: the sequence is the signal.

How AI-driven detection actually helps against campaigns like this

“Use AI” is meaningless advice unless it maps to specific detections and response decisions. Here’s where AI-driven security operations consistently outperforms manual rules for Ink Dragon–style intrusions.

Behavioral baselines beat static rules

Static rules fail when:

• attackers rotate infrastructure,
• use legitimate binaries,
• or blend into admin workflows.

AI-based user and entity behavior analytics (UEBA) can baseline:

• normal IIS server egress,
• normal admin tool usage,
• normal mailbox/Graph API patterns,
• normal lateral movement paths.

Then it flags the deviations that matter. Not every deviation—just the ones that form an attacker-shaped story.

Cross-domain correlation is the real win

Ink Dragon’s chain spans domains that are often monitored separately:

• web logs (IIS/SharePoint)
• endpoint telemetry (EDR)
• identity events (AD/M365)
• network flows

AI helps by connecting weak signals:

• A suspicious ViewState request +
• a new IIS module +
• odd outbound connections +
• an unusual mailbox access pattern

Individually, those might not trip severity thresholds. Together, they’re a credible incident.

Automated response buys time when the attacker is fast

These campaigns don’t wait for your Monday triage queue. For high-confidence detections, AI-assisted workflows should trigger immediate guardrails:

• isolate the suspected relay host (temporarily, with break-glass options)
• block new outbound destinations from server subnets pending review
• force credential resets for accounts tied to suspicious sessions
• snapshot and preserve forensic artifacts before attackers clean up

Automation isn’t about replacing analysts. It’s about stopping the bleeding early.

A practical defense plan for government and enterprise SOCs

If you’re responsible for defending public-sector or large enterprise environments, focus on reducing the exact advantages Ink Dragon is exploiting.

Step 1: Treat IIS/SharePoint as tier-0-ish assets

Internet-exposed collaboration and web platforms are a favorite entry point because they’re complex and often patched late.

Do these three things:

• Put tight egress controls on IIS/SharePoint servers (default deny outbound where feasible)
• Enforce rapid patch SLAs for externally exposed services
• Continuously validate ASP.NET machine key hygiene (no reused/predictable keys across environments)

Step 2: Instrument for “sequence detection,” not just alerts

Most teams alert on isolated events. Ink Dragon wins by chaining them.

Build detections that explicitly look for sequences like:

1. Web exploitation signal → web shell behavior
2. Privilege escalation → credential dumping
3. Lateral movement → domain database access
4. New persistence → unusual egress

This is a perfect fit for AI-assisted correlation because it reduces alert fatigue while increasing confidence.

Step 3: Hunt for relay behavior as a first-class use case

Make “are we a node?” a standard hunt question.

• Review server egress baselines monthly
• Identify internal systems behaving like proxies
• Look for unexpected traffic paths between victim networks or business units

A mature SOC assumes it’s not just being attacked—it’s being used.

Where this fits in the AI in Cybersecurity series

Our series has a consistent theme: attackers are scaling through automation and stealth, so defenders need automation with judgment—AI-driven detection, prioritization, and response built around how intrusions really unfold.

Ink Dragon is a clean example of why. Their success relies on defenders treating server logs, identity telemetry, endpoint behavior, and “normal Microsoft traffic” as separate worlds. AI-powered security operations works when it treats them as one story.

If you’re assessing your 2026 security roadmap right now—budget cycles, staffing plans, tooling renewals—ask a blunt question: Can your SOC detect an APT that uses your servers as their infrastructure while hiding inside trusted APIs? If the answer is “not confidently,” that’s the gap to close next.