A highly sophisticated campaign has been uncovered, revealing how a state-sponsored hacking group is transforming compromised servers from passive targets into active components of its own attack infrastructure. Research into the activities of a Chinese threat actor, known variously as Ink Dragon, Earth Alux, or REF7707, details the use of a custom-built Internet Information Services (IIS) module to create a distributed and resilient command-and-control (C2) relay network. This advanced tactic represents a significant evolution in cyber-espionage tradecraft, where victim infrastructure is not merely exploited for data but is repurposed to sustain and expand long-term operations against other targets. By embedding their malware deep within the core web server functionality, the attackers effectively build a self-sustaining mesh of C2 nodes. This method masterfully obscures the true origin of malicious traffic, making attribution and remediation efforts for defenders exponentially more complex and highlighting a strategic focus on stealth, persistence, and operational longevity.
The Mechanics of a Stealthy Takeover
The initial infiltration vector employed by this group relies on the exploitation of well-documented and often long-standing vulnerabilities in public-facing web applications. Attackers gain their first foothold by targeting weaknesses such as ASP.NET ViewState deserialization flaws and known vulnerabilities in SharePoint, including the infamous ToolShell exploit. By systematically scanning for unpatched endpoints or leveraging leaked machine keys, the threat actors are able to achieve remote code execution, which grants them the ability to run arbitrary commands on the server. This initial access is the critical first step in a multi-stage attack that quickly escalates from a simple breach to a full system compromise. The reliance on older, known vulnerabilities underscores a critical lesson for defenders: even without zero-day exploits, determined adversaries can achieve significant impact by capitalizing on inconsistent or delayed patching cycles within organizations, turning common security oversights into gateways for advanced, persistent threats.
Once a system has been compromised, the attackers deploy the core of their operation: a custom-built ShadowPad IIS Listener module designed for maximum stealth and integration. Unlike traditional backdoors that might open a conspicuous new port and create easily detectable network traffic, this implant is engineered to blend seamlessly with the server’s legitimate IIS functionality. The module uses the HttpAddUrl API to register dynamic URL listeners that are specifically configured to intercept HTTP requests matching a proprietary pattern known only to the attackers. When a request matches this pattern, the module initiates a specific decryption routine to validate it as a command from an authorized operator. Crucially, if the incoming traffic does not conform to their protocol, it is seamlessly forwarded to the legitimate IIS worker process to serve normal web content. This dual-functionality design allows the malicious implant to coexist with legitimate applications without disrupting service availability, making it exceptionally difficult to detect through standard network monitoring or performance analysis tools.
Building a Resilient C2 Mesh
The true innovation of this malware lies in its ability to construct a robust and decentralized relay network using the very servers it has compromised. The implant is meticulously designed to manage separate, dynamic lists for what it designates as “server” and “client” nodes within its network. This internal logic allows the malware to automatically pair connections between different infected machines, effectively bridging communications across entirely unrelated victim networks. For instance, a command originating from the attacker’s primary C2 infrastructure could be routed through a compromised server in one country, relayed to another in a different industry, and finally reach the intended target. This creates a complex, obscured path for C2 traffic that defies simple traceback analysis. This strategic reuse of compromised assets is a hallmark of the group’s focus on building a resilient and persistent operational framework that can withstand the takedown of individual nodes and continuously expand its reach. This sophisticated repurposing of victim infrastructure highlights a significant evolution in the group’s operational philosophy and tradecraft, marking a shift from short-term data theft to long-term strategic positioning. By converting compromised servers into a self-sustaining mesh of C2 nodes, the attackers are not just exfiltrating data; they are building a durable and expandable platform for future campaigns. This approach provides immense operational benefits, including enhanced stealth by laundering traffic through legitimate, trusted sources and increased resilience against defensive actions. The distributed nature of the network means that even if one relay node is discovered and cleaned, the broader C2 infrastructure remains intact and functional. This mature operational doctrine demonstrates a clear intent to maintain a persistent presence within target environments, underscoring the advanced, persistent nature of this threat actor and the formidable challenge they pose to global cybersecurity efforts.
The Aftermath and Future Implications
The in-depth analysis of this campaign ultimately provided critical insights into the evolving landscape of state-sponsored cyber operations. It became clear that adversaries had advanced beyond simple intrusion tactics and had adopted a more strategic, long-term approach focused on co-opting victim infrastructure. The attackers’ ability to seamlessly integrate their custom malware with core server functions and build a distributed C2 network from compromised assets underscored the limitations of traditional, perimeter-focused security models. This investigation revealed that a successful defense required a fundamental shift towards deep internal visibility, continuous vulnerability management, and advanced anomaly detection. The methods employed by Ink Dragon served as a stark reminder that even well-documented vulnerabilities could become stepping stones for highly sophisticated and persistent threats, forcing organizations to re-evaluate their risk postures and prioritize comprehensive security hygiene to counter adversaries who operate with such patience and ingenuity.