CN

REF7707REF7707

Also known as: CL-STA-0049 · Jewelbug · REF7707

Origin
CN
Known aliases
3

Profile

REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement. The threat actor employs the Microsoft Graph API for C2 communication, blending malicious traffic with legitimate activity to evade detection. Despite their technical sophistication, REF7707 operators exhibited poor operational security, leading to the exposure of their infrastructure and malware. Their tactics enable the extraction of sensitive data, including passwords and Active Directory information, facilitating ongoing espionage activities.

Aliases· 3

CL-STA-0049JewelbugREF7707

References

  1. https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
  2. https://www.elastic.co/security-labs/fragile-web-ref7707
  3. https://www.security.com/threat-intelligence/jewelbug-apt-russia

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
TA577
Actor
DEV-0147
Actor
REF5961
Actor
Storm-2077
Actor
HAFNIUM
Actor
BackdoorDiplomacy
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.