The targeted attack campaign REF7707 trailed its sights on the foreign ministry of a South American country in February 2025. According to Elastic Labs, the group behind the campaign has been connected to previous compromises in Southeast Asia.

The REF7707 threat actors reportedly used three new malware families—FINALDRAFT, GUIDLOADER, and PATHLOADER—for the attack. The report of the campaign’s in-depth analysis listed 13 indicators of compromise (IoCs) comprising eight domains and five IP addresses.

The WhoisXML API research team expanded the current list of IoCs and uncovered connected artifacts, namely:

• 155 email-connected domains
• One IP-connected domain
• 14 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the REF7707 IoCs

We started our investigation by looking for more information on the IoCs identified by Elastic Labs. First, we queried the eight domains tagged as IoCs on Bulk WHOIS API and found that only seven had current WHOIS records. The query results revealed that:

• All seven domains were somewhat old. Two were created in 2022 while five were created in 2023.

  

• They were administered by two registrars led by NameSilo, which accounted for six domains. GoDaddy administered one domain.

  

• All seven domains were registered in the U.S.

We then queried the eight domains identified as IoCs on DNS Chronicle API and found that five had historical IP resolutions. The five domains recorded 89 IP resolutions over time. The domain d-links[.]net had the oldest first IP resolution date—22 October 2019. The following table shows more details about three other domains.

It is interesting to note that four of the five domains with DNS histories first resolved to IP addresses around the same date—between 27 and 28 August 2022.

Next, we queried the five IP addresses identified as IoCs on Bulk IP Geolocation Lookup and found that:

• They were split between two countries led by China, which accounted for three IP addresses. The other two were geolocated in Thailand.

  

• They were also spread across two ISPs—four were administered by Alibaba and one by ReadyIDC.

  

We then queried the five IP addresses identified as IoCs on DNS Chronicle API and found that only two had DNS histories. Altogether, they had 21 historical IP resolutions over time. The IP address 47[.]239[.]0[.]216 recorded the oldest IP-to-domain resolution date—19 October 2024.

REF7707 IoC List Expansion Analysis Findings

As our first step toward uncovering possibly connected artifacts, we queried the eight domains identified as IoCs on WHOIS History API. We found 20 email addresses from their historical WHOIS records after duplicates were filtered out. Closer scrutiny revealed that four of them were public email addresses.

We then queried the four public email addresses on Reverse WHOIS API and found that none of them appeared in any other domain’s current WHOIS records. So, we dug deeper and discovered that they appeared in the historical WHOIS records of 155 email-connected domains after duplicates and those already identified as IoCs were filtered out.

As the next step, we queried the eight domains identified as IoCs on DNS Lookup API and found that none of them actively resolved to IP addresses. But that did not stop our search for IP-connected domains since we still had five IP addresses that have already been tagged as IoCs.

So, we queried the five IP addresses identified as IoCs on Reverse IP API and discovered that only one—8[.]213[.]217[.]182—had DNS connections. We uncovered one IP-connected domain after duplicates, those already tagged as IoCs, and the email-connected domains were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.