"The threat actor known as Jewelbug has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. Check Point Research is tracking the cluster under the name Ink Dragon. It's also referenced by the broader cybersecurity community under the names CL-STA-0049, Earth Alux, and REF7707. The China-aligned hacking group is assessed to be active since at least March 2023."
""The actor's campaigns combine solid software engineering, disciplined operational playbooks, and a willingness to reuse platform-native tools to blend into normal enterprise telemetry," the cybersecurity company said in a technical breakdown published Tuesday. "This mix makes their intrusions both effective and stealthy." Eli Smadja, group manager of Products R&D at Check Point Software, told The Hacker News that the activity is still ongoing, and that the campaign has "impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.""
Jewelbug, tracked as Ink Dragon and referenced as CL-STA-0049, Earth Alux, and REF7707, is a China-aligned hacking group active since at least March 2023. The actor intensified targeting of European government entities since July 2025 while maintaining operations against organizations in Southeast Asia, South America, and Africa. Intrusions exploit internet-exposed web application vulnerabilities to deploy web shells that drop payloads like VARGEIT and Cobalt Strike beacons for C2, discovery, lateral movement, and exfiltration. The malware arsenal includes FINALDRAFT (Squidoor), a dual Windows/Linux backdoor, and NANOREMOTE, which uses the Google Drive API for C2 file transfer. Campaigns show strong engineering, disciplined operational playbooks, platform-native tool reuse, and stealth.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]