A sophisticated cyber espionage campaign targeting a South American nation’s Foreign Ministry has been uncovered by Elastic Security Labs. The operation, attributed to threat actor REF7707, also targeted telecommunications and educational institutions in Southeast Asia during November 2024.

The attackers deployed a custom malware suite, utilizing Microsoft’s certutil application to download payloads through the Windows Remote Management system. This suggests the perpetrators had already obtained valid network credentials for lateral movement within the compromised environment.

The attack chain involves two primary malware components:

1. PATHLOADER: Initial payload that executes encrypted shellcode
2. FINALDRAFT: Advanced remote administration tool with 37 command handlers

FINALDRAFT, written in C++, demonstrates sophisticated capabilities including:
– Process injection
– File manipulation
– Network proxy functionality
– Microsoft Graph API exploitation for command-and-control
– PowerShell command execution evasion
– NTLM hash utilization

A Linux variant of FINALDRAFT has also been identified through VirusTotal submissions from Brazil and the United States, featuring similar command-and-control capabilities with additional shell command execution and self-deletion functions.

Security researchers Andrew Pease and Seth Goodwin note that while the malware shows high-level engineering, the campaign management displayed inconsistent security practices. The comprehensive toolset and extended operation timeframe strongly indicate an espionage-focused campaign with well-organized developers behind it.