Summary: A new post-exploitation malware kit named PathLoader has been identified, targeting both Windows and Linux systems through Microsoft Outlook as a communication channel. It is associated with an espionage campaign labeled REF7707, which has previously attacked a South American nation’s Foreign Ministry and shows links to Southeast Asia. The malware features a lightweight loader and a robust backdoor called FinalDraft, capable of executing a wide range of commands and exfiltrating data.

Affected: Foreign Ministry of a South American nation, organizations in Southeast Asia

Keypoints :

• PathLoader is a post-exploitation malware kit that uses Microsoft Outlook for command and control via the Microsoft Graph API.
• The FinalDraft backdoor can execute numerous commands, including file manipulation and process injection, with 37 command handlers identified.
• A Linux variant exists with more transport protocols but fewer features, alongside capabilities to load additional malware modules for enhanced functionality.