A newly discovered post-exploitation malware kit targeting both Windows and Linux systems has been abusing Microsoft Outlook as a communication channel, Elastic Security Labs reports.
The kit includes a loader and a backdoor, along with various modules that support additional post-exploitation operations, and is likely used as part of an espionage campaign.
Elastic tracks the campaign as REF7707 and it has seen the new malware being used in attacks on a South American nation’s Foreign Ministry. Its researchers also found links to compromises in Southeast Asia.
Dubbed PathLoader, the loader is a lightweight Windows executable designed to fetch and execute encrypted shellcode from a remote server, which also includes sandbox evasion capabilities.
The shellcode loads and executes a backdoor called FinalDraft, which is written in C++ and can execute a broad range of commands, exfiltrate data, and inject code into processes.
For communication purposes, FinalDraft uses the Outlook service via the Microsoft Graph API. It targets a specific Outlook endpoint to obtain a Microsoft Graph API token which it then stores in specific registry paths (based on whether the user has administrative privileges) and reuses, if valid.
To start the communication loop, the malware creates a session email draft (unless one already exists), then reads and deletes command request email drafts from the command-and-control (C&C) server, processes commands, and writes responses as email drafts.
Elastic Security Labs’ analysis of the malware revealed the inclusion of 37 command handlers, most of which focus on process injection, file manipulation, and network proxy functionality.
Based on these commands, FinalDraft can harvest system information, start/stop a connection to the C&C, connect to the C&C, exfiltrate data, list drives and files, create directories, delete and move files, download and upload files, copy files, list running processes, and create or terminate processes.
The malware relies on UDP and TCP listeners, and a named pipe client as means to proxy data to the C&C, and overwrites files with zeros before deleting them, to prevent file recovery.
The threat was also seen loading additional modules used to retrieve networking information, execute PowerShell commands, and start new processes with stolen NTLM hashes using a custom Pass-the-Hash (PTH) toolkit.
Elastic Security Labs also discovered a Linux variant of FinalDraft, which supports more transport protocols but fewer features compared to the Windows version, as well as an older malware sample that included additional transport protocols.
Related: Developers Targeted With Malware Disguised as DeepSeek Package
Related: Homebrew macOS Users Targeted With Information Stealer Malware
Related: Cyber Insights 2025: Malware Directions
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
