AI vs ShadowPad: Stopping Ink Dragon Relay Attacks

A single compromised SharePoint or IIS server can now become more than “one more incident.” In the Ink Dragon campaign, breached servers were repurposed into relay nodes—infrastructure that helps attackers pivot, hide, and persist across multiple victim networks. That shift matters for defense and national security because it breaks a comfortable assumption: that a breach is contained to one organization’s perimeter.

Ink Dragon (also tracked under names like Jewelbug, CL-STA-0049, Earth Alux, and REF7707) has been linked to government targeting across Europe since mid-2025, alongside activity in Southeast Asia, South America, and parts of Africa. The campaign blends exploitation of internet-facing services, stealthy persistence, and platform-native telemetry camouflage—plus two familiar names for defenders: ShadowPad and FINALDRAFT.

Here’s the stance I’ll take: traditional, rules-first detection is not enough for this threat model. When victims become the attacker’s routing layer, you need AI-driven threat detection that can connect weak signals across identity, endpoint, email, and network—fast enough to stop lateral movement while it’s still reversible.

What Ink Dragon changes: the “victim-as-infrastructure” model

Ink Dragon’s key innovation isn’t just malware quality; it’s the architecture. The group has been observed turning compromised IIS and SharePoint servers into a ShadowPad relay network, proxying commands and traffic through legitimate-looking enterprise hosts.

That design delivers three hard problems for defenders:

1. Attribution of traffic becomes messy. Your logs show traffic to a “normal” server (because it’s your server). The real command infrastructure is effectively inside victims.
2. Takedown doesn’t scale. Shutting down one node doesn’t remove the relay chain.
3. Detection requires correlation, not signatures. Each stage can look benign in isolation (scheduled tasks, service installs, RDP sessions, mailbox activity).

In the AI in Defense & National Security series, this is the pattern to watch: state-aligned operations increasingly use enterprise systems as dual-purpose assets—both targets and operational platforms. Cyber defense has to behave more like intelligence analysis: building a coherent story from fragments.

The tactical blend: exploitation + native tooling

Ink Dragon’s intrusion chains (as publicly described by researchers) reflect a consistent playbook:

• Exploit vulnerable internet-exposed web apps to drop web shells
• Use post-exploitation frameworks (e.g., beaconing for C2) to enable discovery and lateral movement
• Establish persistence with scheduled tasks and services
• Harvest credentials via LSASS dumping and registry hive extraction
• Modify host firewall rules to permit outbound traffic and convert hosts into relays

Most companies get this wrong: they treat each of these as separate detection problems owned by separate teams. Ink Dragon wins in the seams.

ShadowPad and FINALDRAFT: why these tools are difficult to catch

ShadowPad is well-known in cyber espionage circles because it supports modular, stealthy operations. FINALDRAFT (also described as a cross-platform remote administration capability, with newer variants emphasizing stealth and higher exfiltration throughput) introduces a particularly annoying twist: commanding via trusted cloud and enterprise channels.

ShadowPad: persistence and relays, not just “a backdoor”

ShadowPad isn’t interesting because it’s “malware.” It’s interesting because it’s an operations framework.

In this campaign, a custom IIS Listener module is used to embed ShadowPad functionality into compromised servers. That turns a web server into:

• A command proxy (relay)
• A staging point for payloads
• A reconnaissance platform

A practical detection implication: the same host plays multiple roles (web server + relay + staging). AI models trained to understand normal role behavior can flag when a server starts acting like a router or C2 broker.

FINALDRAFT: mailbox-driven command execution

FINALDRAFT has been described as using encoded command documents pushed into a victim mailbox, which the implant pulls, decrypts, and executes.

That’s a direct collision with how modern enterprises work:

• Mailbox access is common.
• API-driven workflows are normal.
• Security teams are flooded with “impossible travel” and MFA noise.

If you’re defending governments or critical infrastructure, you can’t afford an approach that only alerts on known indicators. You need behavioral patterns: who accessed which mailbox, from where, followed by what endpoint actions.

Where AI-driven threat detection actually helps (and where it doesn’t)

AI in cybersecurity gets oversold when it’s presented as magic. The reality? It’s simpler than people think.

AI helps when the attacker’s advantage comes from volume, ambiguity, and multi-step chaining—exactly what Ink Dragon is doing.

AI excels at correlation across “weak signals”

Ink Dragon’s tradecraft creates lots of weak signals:

• A SharePoint server suddenly authenticating to new internal services
• RDP tunneling that doesn’t match admin workflow baselines
• A scheduled task name that looks normal but appears on atypical hosts
• A mailbox receiving structured blobs at odd intervals
• Outbound traffic that’s low-volume but unusually regular

A human analyst can connect this, but not quickly enough across dozens of victims, thousands of endpoints, and multiple identity providers.

An AI-driven threat detection pipeline can:

• Build entity behavior baselines (server roles, admin patterns, mailbox access norms)
• Use graph analytics to identify relay-like behavior (host A becomes a hub)
• Score sequences (exploit → web shell → service install → credential dump → SMB admin shares)
• Prioritize incidents by likely blast radius (domain controller proximity, privileged token exposure)

A snippet-worthy way to say it: AI doesn’t “find malware.” It finds stories that don’t add up.

AI does not replace hardening and patching

Ink Dragon’s initial access methods include exploitation of public-facing services and known weaknesses (including mismanaged server configurations). AI won’t save you if:

• Internet-facing SharePoint/IIS is unpatched
• Administrative sessions are left idle
• Credential hygiene is weak (token exposure, NTLM fallbacks, poor segmentation)

The best outcomes come from combining prevention (patching, hardening) with AI-driven detection (correlation, automation).

A practical defense plan for ShadowPad-style relay networks

If you’re responsible for national security systems, government networks, or enterprises supporting critical services, treat relay-centric intrusions as a distinct class of incident.

1) Make your IIS/SharePoint footprint boring

Answer first: reduce the attack surface attackers love.

Do this:

• Inventory every internet-facing IIS/SharePoint instance (including forgotten staging boxes)
• Remove unused applications, endpoints, and legacy auth paths
• Enforce strict config management for ASP.NET and SharePoint settings
• Segment these servers so they can’t “see” the crown jewels by default

This matters because Ink Dragon thrives on “just one exposed server” becoming a beachhead.

2) Detect “server role drift” with AI baselines

Answer first: a web server shouldn’t behave like a relay node.

AI-driven analytics should flag when a server:

• Starts initiating unusual outbound connections (especially to many internal hosts)
• Becomes a traffic broker (hub-and-spoke patterns)
• Runs unexpected child processes tied to admin tooling or debugging utilities
• Creates services/scheduled tasks that don’t match the golden image

If you only monitor for known bad domains or hashes, you’ll miss the moment the relay is born.

3) Treat identity tokens as critical infrastructure

Answer first: token theft turns one host compromise into domain compromise.

Ink Dragon operators have been described as capitalizing on retained tokens in LSASS from disconnected sessions. Your mitigation program should include:

• Shorter token lifetimes where feasible
• Strong restrictions on where Domain Admins can log in
• Blocking legacy auth fallbacks where you can
• Monitoring for suspicious access to NTDS.dit and registry hives

AI helps here by correlating identity anomalies with endpoint memory-access behaviors and privileged SMB activity.

4) Put automated containment on a tight leash (but do it)

Answer first: speed matters more than perfect certainty during lateral movement.

For government and critical infrastructure, automated response has to be controlled, but it can’t be absent. The sweet spot is guardrailed automation, such as:

• Temporarily isolating a suspected relay node from outbound internet and east-west traffic
• Forcing re-authentication for accounts interacting with the suspected node
• Blocking execution of newly created scheduled tasks pending analyst approval
• Snapshotting memory and volatile artifacts before remediation

This is how you stop multi-stage deployments from becoming multi-week persistence.

5) Hunt for relays, not “patient zero”

Answer first: you’re looking for the mesh, not the first infection.

A relay-centric hunting playbook should prioritize:

• Hosts acting as unusual proxies between unrelated network zones
• Repeated low-volume C2-like patterns from servers that normally don’t beacon
• Shared artifacts across multiple compromised environments (task/service naming conventions, module placement patterns)

In practice, AI-driven graph analysis is the difference between “we cleaned one server” and “we dismantled the chain.”

What security leaders should ask vendors (and their own teams)

If you’re evaluating AI for cybersecurity in 2026 budgeting cycles, ask uncomfortable questions. The goal isn’t “AI features.” It’s operational outcomes.

Here are the questions I’d use:

1. Can your system correlate email/API activity with endpoint execution in one timeline? FINALDRAFT-style mailbox C2 demands it.
2. Do you model server roles and detect role drift? Web servers becoming relays is a specific behavioral shift.
3. Can you surface graph-based evidence? “This host became a hub connecting three segments” is actionable.
4. What automated actions are available, and how do you prevent self-inflicted outages? Guardrails matter in government environments.
5. How fast can you go from weak signal to containment? Minutes beat hours during lateral movement.

A blunt truth: if your SOC can’t connect identity, endpoint, and network evidence quickly, you’re defending with one eye closed.

Next steps for governments and enterprises

Ink Dragon’s use of ShadowPad and FINALDRAFT highlights a mature espionage model: long-term access, quiet control, and reuse of victim infrastructure. That’s not a future threat. It’s the operating environment.

If you’re part of a government agency, defense contractor, telecom, or any enterprise supporting critical services, the next step is straightforward: validate whether your detection stack can identify relay behavior and multi-stage tradecraft without relying on known IOCs. Run a tabletop exercise where the compromised server becomes a proxy for other intrusions, and measure how long it takes your team to spot the mesh.

If your answer is “we’d need a week of logs and three different tools,” you already know what to fix. The question worth ending on is this: if your organization became a relay node tomorrow, would you notice—before your neighbor’s incident response team called you first?