New FinalDraft malware abuses Outlook mail service for stealthy comms
A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
The attacks were discovered by Elastic Security Labs and rely on a complete toolset that includes a custom malware loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities.
The abuse of Outlook, in this case, aims to achieve covert communications, allowing the attackers to perform data exfiltration, proxying, process injection, and lateral movement while leaving minimal possible traces.
Attack chain
The attack begins with the threat actor compromising the targer's system with PathLoader, a small executable file that executes shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure.
PathLoader incorporates protections against static analysis by performing API hashing and using string encryption.
FinalDraft is used for data exfiltration and process injection. After loading the configuration and generating a session ID, the malware establishes communication through Microsoft Graph API, by sending and receiving commands through Outlook email drafts.
FinalDraft retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration, and stores it in the Windows Registry for persistent access.

By using Outlook drafts instead of sending emails, it avoids detection and blends into normal Microsoft 365 traffic.
Commands from the attacker are hidden in drafts (r_<session-id>) and responses are stored in new drafts (p_<session-id>). After execution, draft commands are deleted, making forensic analysis harder and detection more unlikely.
FinalDraft supports a total of 37 commands, the most important of them being:
- Data exfiltration (files, credentials, system info)
- Process injection (running payloads in legitimate processes like mspaint.exe)
- Pass-the-Hash attacks (stealing authentication credentials for lateral movement)
- Network proxying (creating covert network tunnels)
- File operations (copying, deleting, or overwriting files)
- PowerShell execution (without launching powershell.exe)
Elastic Security Labs also observed a Linux variant of FinalDraft, which can still use Outlook via REST API and Graph API, as well as HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 exchange.

The researchers present the attack campaign, dubbed REF7707, in a separate report that describes several opsec mistakes that are in contrast with the advanced intrusion set used, and which led to the attacker's exposure.
REF7707 is a cyber-espionage campaign focused on a South American foreign ministry, but analysis of the infrastructure revealed links to Southeast Asian victims, suggesting a broader operation.
The investigation also uncovered another previously undocumented malware loader used in the attacks, named GuidLoader, capable to decrypt and execute payloads in memory

Further analysis showed the attacker's repeated targeting of high-value institutions via compromised endpoints in telecommunications and internet infrastructure providers in Southeast Asia.
Additionally, a Southeast Asian university’s public-facing storage system was used to host malware payloads, suggesting prior compromise or a supply chain foothold.
YARA rules to help defenders detect Guidloader, PathLoader, and FinalDraft, are available at the bottom of Elastic’s reports [1, 2].
Google Chrome's AI-powered security feature rolls out to everyone
New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner