From South America to Southeast Asia: The Fragile Web of REF7707

Feb. 12, 2025, 9:53 p.m.

Description

While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.

External References

https://www.elastic.co/security-labs/fragile-web-ref7707
https://otx.alienvault.com/pulse/67ad1528608f24b71bcea41b
Tags
linux
powershell
windows
persistence
siestagraph
certutil
scheduled task
2025-02-12
lolbas
southeast asia
finaldraft
ref7707
guidloader
pathloader
typo squatting
lolbin
remote admin

Date

  • Created: Feb. 12, 2025, 9:39 p.m.
  • Published: Feb. 12, 2025, 9:39 p.m.
  • Modified: Feb. 12, 2025, 9:53 p.m.

Indicators

  • f90420847e1f2378ac8c52463038724533a9183f02ce9ad025a6a10fd4327f12
  • f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9
  • d9fc1cab72d857b1e4852d414862ed8eab1d42960c1fd643985d352c148a6461
  • f29779049f1fc2d45e43d866a845c45dc9aed6c2d9bbf99a8b1bdacfac2d52f2
  • cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf
  • 842d6ddb7b26fdb1656235293ebf77c683608f8f312ed917074b30fbd5e8b43d
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 7cd14d3e564a68434e3b705db41bddeb51dbb7d5425fd901c5ec904dbb7b6af0
  • 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3
  • 5e3dbfd543909ff09e343339e4e64f78c874641b4fe9d68367c4d1024fe79249
  • 49e383ab6d092ba40e12a255e37ba7997f26239f82bebcd28efaa428254d30e1
  • 41141e3bdde2a7aebf329ec546745149144eff584b7fe878da7a2ad8391017b9
  • 41a3a518cc8abad677bb2723e05e2f052509a6f33ea75f32bd6603c96b721081
  • 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
  • 33f3a8ef2c5fbd45030385b634e40eaa264acbaeb7be851cbf04b62bbe575e75
  • 20508edac0ca872b7977d1d2b04425aaa999ecf0b8d362c0400abb58bd686f92
  • 17b2c6723c11348ab438891bc52d0b29f38fc435c6ba091d4464f9f2a1b926e0
  • 08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1
  • 8.213.217.182
  • 47.83.8.198
  • 47.239.0.216
  • 8.218.153.45
  • https://support.vmphere.com
  • update.hobiter.com
  • support.vmphere.com
  • support.fortineat.com
  • poster.checkponit.com
  • ict.ictnsc.com
  • pol.vm-clouds.net
  • digert.ictnsc.com
  • cloud.autodiscovar.com
  • vm-clouds.net
  • vmphere.com
  • mrd0x.com
  • ictnsc.com
  • hobiter.com
  • d-links.net
  • checkponit.com
  • autodiscovar.com
Download all indicators here!

Attack Patterns

  • FINALDRAFT
  • GUILOADER
  • PATHLOADER

Additional Informations

  • Education
  • Telecommunications
  • Government