From South America to Southeast Asia: The Fragile Web of REF7707

Elastic Security Labs documents REF7707, a sophisticated intrusion campaign that targeted a South American foreign ministry and other victims using novel multi‑platform malware (FINALDRAFT with PATHLOADER and GUIDLOADER loaders). The attackers used LOLBin techniques (CDB.exe, certutil) for execution, harvested domain credentials and AD artifacts, maintained persistence via scheduled tasks, and blended C2 traffic through Microsoft Graph and various cloud/third‑party services; infrastructure pivots point to a Southeast Asia footprint.