Jewelbug, a threat actor, has been concentrating more on European government targets. The cluster is being monitored by Check Point Research under the moniker Ink Dragon. It is estimated that the hacking group with ties to China has been active since at least March

2023.

A five-month-long intrusion that targeted a Russian IT service provider has also been linked to Ink Dragon in recent months. Depending on the victim's surroundings, operational requirements, and desire to blend in with legitimate traffic, the actor selectively employs tools from a larger toolkit, according to Check Point.In a technical analysis released on Tuesday, the cybersecurity firm stated, "One compromise can subtly become another hop in a global, multi-layered infrastructure supporting ongoing campaigns elsewhere." Several dozen victims have been affected by the threat actor. including telecom companies and governmental bodies throughout Europe, Asia, and Africa," a Check Point representative stated.

It has been discovered that in order to establish long-term persistence, the intrusions rely on multiple components rather than a single backdoor or a monolithic framework. Among them is ShadowPad Loader, which decrypts and executes the ShadowPad core module in memory. Additionally, Check Point found evidence of a second threat actor called REF3927, also known as RudePanda, on "several" of the same victim environments that Ink Dragon had compromised.The cybersecurity firm came to the conclusion that "Ink Dragon presents a threat model in which the boundary between 'compromised host' and 'command infrastructure' no longer exists."Every foothold turns into a node in a bigger, operator-controlled network, creating a dynamic mesh that gets stronger with each new victim," Check Point stated in a Monday blog post.

A response from Palo Alto Networks Unit 42 was added to the blog post after it was published.