| SYMBOL | COMMON_NAME | aka. SYNONYMS |
REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement. The threat actor employs the Microsoft Graph API for C2 communication, blending malicious traffic with legitimate activity to evade detection. Despite their technical sophistication, REF7707 operators exhibited poor operational security, leading to the exposure of their infrastructure and malware. Their tactics enable the extraction of sensitive data, including passwords and Active Directory information, facilitating ongoing espionage activities.
There are currently no families associated with this actor.
| 2025-02-27
⋅
Palo Alto Networks Unit 42
⋅
Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations FINALDRAFT FINALDRAFT REF7707 |