The REF7707 cyber attack campaign targeted the foreign ministry of a South American country in February 2025, utilizing three new malware families and uncovering a range of indicators of compromise (IoCs) including domains and IP addresses linked to prior campaigns in Southeast Asia. Affected: foreign ministry, South American country, Southeast Asia.
Keypoints :
- REF7707 targeted a South American countryโs foreign ministry in February 2025.
- The attack was linked to a group associated with previous compromises in Southeast Asia.
- Attackers employed three new malware families: FINALDRAFT, GUIDLOADER, and PATHLOADER.
- Thirteen IoCs were identified, including eight domains and five IP addresses.
- Research expanded the IoC list to include 155 email-connected domains and one IP-connected domain.
- Investigation revealed additional historical data and connections through WHOIS and DNS queries.
- Multiple domains had historical IP resolutions dating back to 2019.
- Some domains did not actively resolve to IP addresses during the investigative period.
- Further analysis continues to explore connected artifacts and improve threat detection.
MITRE Techniques :
- T1071.001 โ Application Layer Protocol: Usage of application layer protocols for command and control via FINALDRAFT malware.
- T1059.001 โ Command-Line Interface: Potential exploitation through direct execution commands with GUIDLOADER.
- T1105 โ Ingress Tool Transfer: Transfer of tools and payloads via PATHLOADER during the attack.
Indicator of Compromise :
- Domain: autodiscovar[.]com
- Domain: checkponit[.]com
- Domain: fortineat[.]com
- IP Address: 47[.]239[.]0[.]216
- IP Address: 8[.]213[.]217[.]182
Full Story: https://circleid.com/posts/tracing-the-dns-footprints-of-ref7707