Tracing the DNS Footprints of REF7707

The REF7707 cyber attack campaign targeted the foreign ministry of a South American country in February 2025, utilizing three new malware families and uncovering a range of indicators of compromise (IoCs) including domains and IP addresses linked to prior campaigns in Southeast Asia. Affected: foreign ministry, South American country, Southeast Asia.

Keypoints :

  • REF7707 targeted a South American countryโ€™s foreign ministry in February 2025.
  • The attack was linked to a group associated with previous compromises in Southeast Asia.
  • Attackers employed three new malware families: FINALDRAFT, GUIDLOADER, and PATHLOADER.
  • Thirteen IoCs were identified, including eight domains and five IP addresses.
  • Research expanded the IoC list to include 155 email-connected domains and one IP-connected domain.
  • Investigation revealed additional historical data and connections through WHOIS and DNS queries.
  • Multiple domains had historical IP resolutions dating back to 2019.
  • Some domains did not actively resolve to IP addresses during the investigative period.
  • Further analysis continues to explore connected artifacts and improve threat detection.

MITRE Techniques :

  • T1071.001 โ€“ Application Layer Protocol: Usage of application layer protocols for command and control via FINALDRAFT malware.
  • T1059.001 โ€“ Command-Line Interface: Potential exploitation through direct execution commands with GUIDLOADER.
  • T1105 โ€“ Ingress Tool Transfer: Transfer of tools and payloads via PATHLOADER during the attack.

Indicator of Compromise :

  • Domain: autodiscovar[.]com
  • Domain: checkponit[.]com
  • Domain: fortineat[.]com
  • IP Address: 47[.]239[.]0[.]216
  • IP Address: 8[.]213[.]217[.]182

Full Story: https://circleid.com/posts/tracing-the-dns-footprints-of-ref7707