Just when we thought cybercriminals had runout of tricks, they’ve gone and pulled another rabbit out of their malicious hats. Meet FinalDraft—not the screenwriting software, but a sneaky new backdoor malware that’s been using Outlook email drafts forcovert communications.
Yes, attackers are sliding into your inbox drafts like an uninvited guest at a private party.
The Attack Play-by-Play
It starts with a little helper called PathLoader, which sneaks into the victim’s system and executes shellcode that fetches FinalDraft. To avoid easy detection, PathLoader plays hard to get—using API hashing and string encryption to keep security tools at bay.
Once FinalDraft is up and running, the real espionage begins. Instead of sending obvious emails that scream, "Hey, I’m a hacker!", it blends into Microsoft 365 traffic like a chameleon.
How? By planting commands inside Outlookdrafts—never actually hitting “Send” but still getting the message across. Sneaky, right
The attacker’s command is saved as a draft titled r_ ,the infected machine reads the draft, executes the command, and stores results in a new draft titled p_, once done, the malware deletes the drafts, leaving hardly a trace
It’s like having a secret conversation in disappearing ink!
What Can This Malware Do?
FinalDraft isn’t just writing emails, it’s writing cyber history. This malware is a digital Swiss Army knife with 37 different commands, including:
Data Exfiltration– Stealing files, credentials, and system info like a cyber pickpocket.
Process Injection– Running malicious code inside legitimate programs (ever seen mspaint.exe commit cybercrime? You have now!).
Pass-the-Hash Attacks– Harvesting authentication credentials for lateral movement (because one hacked system is never enough for these guys).
Network Proxying– Creating covert tunnels to bypass security monitoring.
File Operations– Copying, deleting, and overwriting files like a ghost editor.
PowerShell Execution– Running PowerShell commands without launching PowerShell—because subtlety is key.
Oh, and just in case you thought Linux users were safe—think again. A Linux variant of FinalDraft has been spotted, proving that hackers love cross-platform support more than some software companies.
Who’s Been Hit?
Elastic Security Labs uncovered this espionage campaign, dubbed REF7707and their analysis has revealed links hinting at a much larger operation.
To make matters worse, the attackers are using compromised telecom and internet infrastructure providers as launchpads. Even a Southeast Asian university’s public storage system was caught hosting malware payloads—either an accidental “oops” or a deliberate supply chain compromise.
How to Stay Safe (and Keep Your Drafts Clean)
Monitor Unusual Draft Activity– If you see weird drafts appearing and disappearing, it’s time to sound the alarms.
Enable Multi-Factor Authentication(MFA) – This is Cybersecurity 101. Do it.
Use Behavior-Based Detection– Traditional AV tools won’t catch this easily—go for behavior-based solutions.
Limit OAuth Token Permissions– If an app asks for too many permissions, think twice before granting them.
Attackers are getting smarter, stealthier, and more creative with their exploits. The only way to stay ahead is by staying informed, prepared, and, of course, just a little bit paranoid (the healthy cybersecurity kind).
Stay safe, stay cyber-aware, and for the love of encryption, stop downloading shady attachments!
.png)
.png)