Summary: Elastic Security Labs has uncovered a significant cyber espionage operation, REF7707, targeting governmental entities in South America and Southeast Asia. The attackers employed advanced malware while showcasing critical operational failures that revealed their infrastructure and additional victims. This expansive campaign exemplifies a blend of high technical skill and serious tactical oversights.
Affected: Foreign Ministry of a South American nation and various entities in Southeast Asia
Keypoints :
- REF7707 employed novel malware families—FINALDRAFT, GUIDLOADER, and PATHLOADER—to achieve persistence within victim networks.
- The campaign demonstrated advanced planning but suffered from poor operational security, leading to unintended exposures.
- Utilized legitimate services like Microsoft Graph API and Google Firebase to evade detection while executing malicious payloads.
- Critical operational oversights included the use of debug strings and accessible domains, enabling researchers to trace the attackers’ methods.
- Attack infrastructure consisted of both adversary-controlled domains and compromised third-party services.
Source: https://securityonline.info/ref7707-espionage-campaign-targets-south-america-and-southeast-asia/