Tracing the DNS Footprints of REF7707
The REF7707 campaign actors recently targeted the foreign ministry of a South American country. According to a published report, the group has been connected to previous compromises in Southeast Asia.
The threat actors reportedly used three new malware—FINALDRAFT, GUIDLOADER, and PATHLOADER—for the attack. The study listed 13 indicators of compromise (IoCs) comprising eight domains and five IP addresses.1
WhoisXML API expanded the current list of IoCs and uncovered connected artifacts, namely: