Jun 03, 2026
Sep 11, 2025
3 Mins Read
FinalDraft Malware: The Stealthy Threat Using Microsoft Services
Designed for covert, long-term espionage, FinalDraft malware masterfully blends into legitimate Microsoft services to avoid detection, making it a formidable challenge for defenders.
What is FinalDraft Malware?
FinalDraft is a cross-platform malware capable of infecting both Windows and Linux systems. Its primary method for communicating with Command-and-Control (C2) servers is remarkably subtle: it leverages Microsoft Outlook’s ‘Drafts’ folder. By hiding encrypted messages within draft emails, FinalDraft can exchange commands and results between the infected host and the attacker without triggering typical network security alerts.
Who is Being Targeted?
This malware has been observed in attacks targeting various critical sectors, including:
- Government
- Telecommunications
- Finance
- Education
- Healthcare
Its global reach, affecting victims across South America, Southeast Asia, and beyond, suggests that these attacks are likely orchestrated by well-funded threat actors or even nation-states.
How Does FinalDraft Operate?
The infection process typically begins with a loader known as PathLoader. This component is responsible for decrypting and executing shellcode, which then activates the FinalDraft backdoor. Once active, the backdoor utilizes the Microsoft Graph API for authentication and communication, further embedding its malicious activity within legitimate cloud services.
How does FinalDraft operate? (Elastic)
FinalDraft supports a robust set of 37 commands, allowing attackers to perform a variety of actions, including:
- File theft
- Process injection
- PowerShell execution without using powershell.exe
This ability to execute PowerShell commands without the actual PowerShell executable is a testament to its stealth and sophistication.
Key Techniques Used (MITRE ATT&CK)
FinalDraft employs several advanced techniques to achieve its objectives and evade defenses. Some notable MITRE ATT&CK techniques it leverages include:
- Native API abuse (T1106)
- Process Injection (T1055)
- Script execution (T1059)
- Non-app layer protocols (T1095)
- Sandbox evasion (T1497)
- Proxy execution (T1127)
- Token manipulation (T1134)
- Alternate authentication (T1550)
MITRE ATT&CK techniques of FinalDraft
Protecting Your Organization: Mitigation and Detection
Given FinalDraft’s stealthy nature, a multi-layered defense strategy is crucial.
Mitigation Strategies to reduce exposure include:
- Enable Attack Surface Reduction (ASR) rules
- Use AppLocker or Defender Application Control
- Continuously monitor Outlook Draft activity for unusual patterns
- Segment your network and restrict outbound access to minimize lateral movement and C2 communication
- Apply YARA rules from Elastic to identify malicious files
For detection and incident response:
- Monitor Outlook activity, API behavior, and PowerShell usage
- Look for anomalous process execution
- If an infection is suspected, isolate affected hosts immediately
- Thoroughly examine registry and memory for artifacts
- Remove any persistence artifacts to prevent re-infection
Platforms like SOCRadar can enhance defensive capabilities by providing threat intelligence, Dark Web Monitoring for FinalDraft-related activity, enriching IoCs, and integrating with SIEM/SOAR systems for rapid response.
Indicators of Compromise (IOCs)
File Hashes:
- 54c4d47332ebc8bd2505d6e7638717bc (MD5)
- 764a838236f5dceb3d199059ad36311e (MD5)
- 92306905be5b717654d5b105cd506bdd (MD5)
- 2fdea656bf50277c8d728e1a005bf1e5157c68d0 (SHA1)
- c2e0559907bd721a050a9fee4448d062f5edf237 (SHA1)
- d79d5b7742dd848f35424df325610b2e8a8761eb (SHA1)
- 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530 (SHA256)
- 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c (SHA256)
- 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf (SHA256)
URLs:
- http://poster.checkponit[.]com/nzoMeFYgvjyXK3P
- https://poster.checkponit[.]com:443/nzoMeFYgvjyXK3P
- https://support.fortineat[.]com:443/nzoMeFYgvjyXK3P
Hostnames:
- poster.checkponit[.]com
- support.fortineat[.]com
- support.vmphere[.]com
- update.hobiter[.]com
Conclusion
FinalDraft Malware represents a significant threat due to its ability to blend seamlessly into legitimate Microsoft services and evade traditional network detection methods. Proactive defense is paramount. Organizations must prioritize up-to-date threat intelligence, advanced monitoring capabilities, and robust incident response plans to identify and neutralize such sophisticated and covert threats before they can inflict substantial damage. Platforms like SOCRadar play a critical role in this defense by providing actionable intelligence, early warnings, and comprehensive visibility into evolving cyber campaigns.
Table Of Content
Related Articles
