AI vs ShadowPad: Detecting Ink Dragon APT Fast

AI in Defense & National Security••By 3L3C

Ink Dragon uses ShadowPad and FINALDRAFT to build stealthy relay networks. Learn how AI-driven detection finds APT signals faster in government environments.

APTShadowPadFINALDRAFTThreat DetectionGovernment SecuritySOC OperationsAI in Cybersecurity
Share:

AI vs ShadowPad: Detecting Ink Dragon APT Fast

A single compromised IIS or SharePoint server shouldn’t be able to “grow” into a global command-and-control mesh. Yet that’s exactly what researchers are documenting with the China-linked threat cluster commonly tracked as Ink Dragon (also known as Jewelbug, CL-STA-0049, Earth Alux, and REF7707). The group has been hitting government and telecom environments across Europe, Asia, and Africa, and it’s doing it with a disciplined playbook: web-facing server exploitation, stealthy persistence, credential theft, and malware families like ShadowPad and FINALDRAFT.

Here’s the uncomfortable truth: most organizations still try to catch APT activity with defenses optimized for yesterday’s malware—a file dropped on a laptop, a noisy beacon, an obvious signature. Ink Dragon flips that model. It turns your servers into the attacker’s infrastructure, uses your enterprise tools as cover, and pushes commands through normal-looking cloud and email channels.

This post is part of our AI in Defense & National Security series, and it takes a stance: AI-driven cybersecurity isn’t optional for government networks anymore. When intrusions are multi-stage, cross demonstrate reuse of victim infrastructure, and blend into daily telemetry, humans alone can’t keep up. The win condition is faster detection, tighter containment, and better prioritization—at machine speed.

What Ink Dragon gets right (and why defenders struggle)

Ink Dragon’s advantage isn’t some mystical “advanced hacking” aura. It’s operational consistency.

This cluster has been observed:

  • Exploiting internet-exposed web applications and server-side weaknesses to drop web shells
  • Deploying additional tooling (including Cobalt Strike) for command-and-control, discovery, and lateral movement
  • Establishing persistence via scheduled tasks and services
  • Dumping LSASS and extracting registry hives to move from local admin to domain-wide control
  • Abusing server components to create a ShadowPad relay network—turning breached servers into proxy nodes for future operations

The part that should make every public-sector security team pause: Ink Dragon blurs the line between “victim” and “infrastructure.” Once a server is compromised, it can become a stepping stone not just inside your environment, but across other victims.

A breach isn’t just data loss risk. It can become a long-lived platform for someone else’s campaigns.

That’s why this belongs in the defense and national security conversation: APT campaigns increasingly resemble infrastructure-building, not smash-and-grab intrusion.

FINALDRAFT + ShadowPad: a two-layer problem

Two families matter most in this report:

  • ShadowPad, a modular backdoor ecosystem often used in long-term espionage operations
  • FINALDRAFT (described as a newer evolution of an earlier variant observed by other researchers), including variants that use Outlook and Microsoft Graph API for command-and-control

For defenders, this creates a layered challenge:

  1. Initial compromise happens on exposed services (IIS/SharePoint and related weaknesses)
  2. Persistence becomes resilient and modular (multiple loaders and execution paths)
  3. C2 blends in with traffic that looks “enterprise-normal” (email, Graph API, relays)

If your detection strategy assumes “find the malware binary,” you’re already behind.

The relay-network tactic changes how incident response should work

The most strategically important idea in the source reporting is the relay-centric architecture: compromised IIS servers can host a custom listener module that helps proxy attacker traffic.

Answer first: When attackers reuse victim servers as relays, you must investigate “where your server is talking” as seriously as “what your server is running.”

Why it matters:

  • A compromised server may be used to route commands deeper into your network
  • The same server may also be used to proxy traffic into other target environments
  • Taking down one node doesn’t end the intrusion if the actor has built a chain of relays

This is one of those moments where traditional, ticket-based SOC operations struggle:

  • A web shell alert becomes “patch later.”
  • A suspicious scheduled task becomes “reimage after quarter-end.”
  • Outbound connections from a server are assumed to be “app dependencies.”

Ink Dragon lives in those gaps.

Practical shift: treat outbound server traffic as a first-class signal

If your environment is heavy on IIS, SharePoint, or other web workloads, outbound connections from web servers should be aggressively baseline’d and monitored.

Actionable controls that pay off fast:

  • Enforce explicit egress allow-lists for server subnets (don’t allow broad outbound internet by default)
  • Alert on new destinations and new TLS fingerprints from server workloads
  • Flag servers that suddenly behave like middleboxes (proxy-like traffic patterns, unusually diverse destinations)

Where AI actually helps against ShadowPad and FINALDRAFT

AI in cybersecurity gets oversold when it’s pitched as “it will stop breaches.” I don’t buy that framing. What AI does well—when implemented correctly—is narrower and more useful:

AI reduces the time-to-suspicion by correlating weak signals humans miss.

That matters against Ink Dragon because the intrusion is not one loud event. It’s a chain of small, plausibly benign events that only look malicious when connected.

1) AI for anomaly detection across “boring” telemetry

APT actors love boring telemetry: authentication logs, service creation events, mailbox access patterns, scheduled tasks.

AI-driven behavioral baselining can surface:

  • A service account that suddenly authenticates at odd hours and touches unusual hosts
  • A SharePoint server that starts generating mailbox access patterns inconsistent with its role
  • A domain admin token reused in a way that doesn’t match past administrative behavior

This is especially relevant to the report’s note about idle RDP sessions and the likelihood of credential material retained in memory. You can’t prevent every operator mistake in a large enterprise. But you can detect the aftermath faster.

2) AI-assisted investigation: faster root-cause and scoping

Government incident response often fails in a predictable way: teams find a web shell, remove it, and declare victory.

AI-guided triage helps by:

  • Clustering related alerts into a single intrusion narrative
  • Identifying likely “patient zero” systems based on event ordering
  • Suggesting the next artifacts to pull (scheduled tasks, services, IIS modules, suspicious DLL loads, mailbox rule anomalies)

In practice, that means fewer dead ends and faster scoping—exactly what you need when the attacker is building a relay network.

3) AI for high-fidelity detection of “living off the land” abuse

Ink Dragon is described as willing to reuse platform-native tools. That’s not a side note; it’s the main event.

Modern AI detection can model:

  • When cdb.exe (console debugger) is used in a way that looks like a loader behavior rather than developer debugging
  • When scheduled tasks are created with naming/interval patterns associated with persistence rather than IT automation
  • When outbound traffic patterns from IIS hosts resemble C2 proxying

The goal isn’t to flag every use of legitimate tools. It’s to catch tool use that violates role expectations.

A government-ready defense playbook (practical, not theoretical)

Answer first: To defend against Ink Dragon-style intrusions, prioritize exposure reduction, identity hardening, and AI-driven detection across server + identity + cloud telemetry.

Below is a practical checklist you can hand to an engineering lead or SOC manager.

Reduce initial access: patching is table stakes, configuration is the multiplier

Ink Dragon has been observed exploiting web-facing weaknesses and misconfigurations.

Do these this quarter:

  1. Inventory all internet sees: IIS, SharePoint, VPN portals, management consoles
  2. Kill “unknown ownership” servers: if nobody owns it, it’s an attacker’s favorite
  3. Harden ASP.NET and SharePoint key management: treat machine key hygiene as critical identity material, not “app config”
  4. Web shell containment: deploy file integrity monitoring for web directories, and alert on unexpected ASPX/ASHX changes

Contain lateral movement: fix the identity layer you’ve been postponing

This actor chain highlights credential access and domain escalation patterns.

High-impact steps:

  • Enforce credential guard / LSASS protections where feasible
  • Reduce domain admin use; adopt just-in-time admin for privileged operations
  • Alert on NTDS.dit access patterns and admin share writes from non-standard hosts
  • Detect and remediate stale RDP sessions on high-value servers (automated logoff policies)

Break relay networks: egress controls + AI correlation

If compromised servers are turned into relays, you need controls that prevent “infrastructure behavior.”

Implement:

  • Server egress segmentation (different app tiers, different outbound rules)
  • DNS logging with detection for newly observed domains contacted by server subnets
  • AI correlation rules that join:
    • IIS module changes
    • new services/scheduled tasks
    • unusual outbound patterns
    • suspicious mailbox/Graph activity

If you can connect those four signals in hours (not weeks), the actor’s operational model starts to collapse.

“People also ask” (the questions leaders bring to the room)

Is AI detection reliable enough for APTs?

Yes—if you scope it correctly. AI is most reliable when it’s used for prioritization and correlation, not as a single yes/no gate that blocks traffic. Treat it as an analyst multiplier.

Why do APTs use Microsoft Graph or Outlook for C2?

Because defenders often whitelist and trust those channels. It’s harder to distinguish malicious use from normal business operations unless you analyze behavioral patterns across identity, endpoint, and cloud logs.

What’s the fastest win for government networks?

Tighten server egress, harden privileged identity, and deploy AI-backed correlation that can tell a coherent story across IIS + authentication + cloud access. Those three together cut dwell time dramatically.

The bigger point for AI in Defense & National Security

Ink Dragon’s playbook is a reminder that national security cybersecurity isn’t just about blocking malware. It’s about preventing your environment from becoming someone else’s operational platform.

AI-driven cybersecurity helps because it’s built for the reality defenders face: too many logs, too many small signals, too few experienced analysts, and adversaries who don’t need noisy exploits to win.

If you’re responsible for government or critical infrastructure security, here’s a useful next step: pressure-test your detection program against a relay-network scenario. Assume one IIS/SharePoint host is quietly proxying traffic. How quickly can you spot it? How confidently can you scope it? How fast can you cut it off without breaking mission systems?

That question tends to separate “we have tools” from “we can actually defend.”