The threat group known as Ink Dragon, linked to China, is exploiting vulnerabilities in Internet Information Services (IIS) servers to create a covert global espionage network. Initially focused on Southeast Asia and South America, their targets have now expanded to include European governments. Check Point's investigation reveals that Ink Dragon uses a sophisticated approach, compromising IIS servers to gain access to internal networks, harvest credentials, and move laterally within systems without raising alarms. Once inside, they install a customized IIS module, transforming the compromised server into a stealthy relay point that masks the origin of their attack traffic. This method allows them to use hijacked government infrastructure to communicate and coordinate with other compromised systems, making their command and control operations harder to detect. The group cleverly hides its communications within everyday mailbox drafts, further obscuring their activities. Check Point also noted that another Chinese group, RudePanda, is simultaneously exploiting similar IIS weaknesses, meaning both groups could be operating within the same compromised networks. The findings highlight the risks associated with IIS misconfiguration. While Check Point lists indicators of compromise, they do not provide clear countermeasures. However, suggestions for defense include auditing IIS modules, enabling advanced logging, addressing common vulnerabilities, and using web application firewalls to protect IIS servers.