216.73.217.22

From South America to Southeast Asia: The Fragile Web of REF7707

· Published 12/02/2025 21:39 · Modified 12/02/2025 21:53

Export JSON

Essential information

Published
12/02/2025 21:39
Modified
12/02/2025 21:53
Tags
2025-02-12 certutil finaldraft guidloader linux lolbas lolbin pathloader persistence powershell ref7707 remote admin scheduled task siestagraph southeast asia typo squatting windows
Related entities
40 observables, 6 techniques (mitre), 3 malware, 3 others

Description

While the campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (40)

  • 8.213.217.182
  • 47.83.8.198
  • 47.239.0.216
  • 8.218.153.45
  • https://support.vmphere.com
  • update.hobiter.com
  • support.vmphere.com
  • support.fortineat.com
  • poster.checkponit.com
  • ict.ictnsc.com
  • pol.vm-clouds.net
  • digert.ictnsc.com
  • cloud.autodiscovar.com
  • vm-clouds.net
  • vmphere.com
  • mrd0x.com
  • ictnsc.com
  • hobiter.com
  • d-links.net
  • checkponit.com
  • autodiscovar.com
  • f90420847e1f2378ac8c52463038724533a9183f02ce9ad025a6a10fd4327f12
  • f45661ea4959a944ca2917454d1314546cc0c88537479e00550eef05bed5b1b9
  • d9fc1cab72d857b1e4852d414862ed8eab1d42960c1fd643985d352c148a6461
  • f29779049f1fc2d45e43d866a845c45dc9aed6c2d9bbf99a8b1bdacfac2d52f2
  • cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf
  • 842d6ddb7b26fdb1656235293ebf77c683608f8f312ed917074b30fbd5e8b43d
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 7cd14d3e564a68434e3b705db41bddeb51dbb7d5425fd901c5ec904dbb7b6af0
  • 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3
  • 5e3dbfd543909ff09e343339e4e64f78c874641b4fe9d68367c4d1024fe79249
  • 49e383ab6d092ba40e12a255e37ba7997f26239f82bebcd28efaa428254d30e1
  • 41141e3bdde2a7aebf329ec546745149144eff584b7fe878da7a2ad8391017b9
  • 41a3a518cc8abad677bb2723e05e2f052509a6f33ea75f32bd6603c96b721081
  • 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
  • 33f3a8ef2c5fbd45030385b634e40eaa264acbaeb7be851cbf04b62bbe575e75
  • 20508edac0ca872b7977d1d2b04425aaa999ecf0b8d362c0400abb58bd686f92
  • 17b2c6723c11348ab438891bc52d0b29f38fc435c6ba091d4464f9f2a1b926e0
  • 08331f33d196ced23bb568689c950b39ff7734b7461d9501c404e2b1dc298cc1

Techniques (MITRE) (6)

  • T1189
    Drive-by Compromise
  • T1547
    Boot or Logon Autostart Execution
  • T1105
    Ingress Tool Transfer
  • T1102
    Web Service
  • T1055
    Process Injection
  • T1059
    Command and Scripting Interpreter

Malware (3)

  • FinalDraft
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • GUILOADER
    Family
    Published 12/02/2025 21:39 · Modified 12/02/2025 21:39
  • Pathloader
    Family
    Published 24/10/2025 09:16 · Modified 24/10/2025 09:16

Others (3)

  • Education
  • Telecommunications
  • Government

External references