China's Ink Dragon hides out in European government networks

Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations.

The campaign has hit "several dozen victims," Check Point Software group manager Eli Smadja told The Register. This includes government entities and telecommunications organizations across Europe, Asia, and Africa.

"While we cannot disclose the identities or specific countries of affected entities, we observed the actor beginning relay-based operations in the second half of 2025, followed by a gradual expansion in victim coverage from each relay over time," Smadja said.

These attacks begin with Ink Dragon probing security weaknesses, such as misconfigured Microsoft IIS and SharePoint servers, to gain access to victims' environments. This tactic, as opposed to abusing zero-days or other high-profile vulnerabilities, helps attackers fly under the radar and reduces their chances of being caught.

Ink Dragon then scoops up credentials and uses existing ...