FINALDRAFT

FINALDRAFT is a modular remote access backdoor/implant, also referred to as Squidoor in some reporting, associated with the REF7707 / CL-STA-0049 / Earth Alux / Jewelbug / Ink Dragon activity cluster. It has been described as a 64-bit C++ implant and as a full-featured remote administration tool with add-on modules, with observed Windows and Linux variants. Reporting links it to espionage-oriented operations targeting government organizations in South America, Southeast Asia, and later European government and telecommunications entities, with additional reporting tying the broader actor set to activity in Russia, Asia, Africa, and South America.

A core distinguishing feature of newer FINALDRAFT variants is command-and-control via Microsoft cloud services, specifically abuse of Microsoft Outlook draft messages through the Microsoft Graph API. The malware obtains Microsoft Graph tokens using a refresh token stored in configuration, stores refreshed tokens in the Windows Registry, and uses mailbox drafts as a covert C2 channel. Reported behavior includes creating a session draft, polling for command drafts, deleting commands after retrieval, and posting responses back as drafts. Check Point also reported a previously unseen variant that exploits a Microsoft Graph API feature in Outlook to intercept OAuth tokens and hide C2 traffic inside legitimate cloud mail flows. Additional reporting states newer variants can align check-ins with business hours and transfer large files with reduced noise to blend with normal Microsoft cloud activity.

Across reporting, FINALDRAFT is characterized as focused on data exfiltration, process injection, file manipulation, command execution, covert tunneling/proxying, and lateral movement. Elastic reported 37 command handlers covering process injection, file operations, discovery, and proxying TCP/UDP/named-pipe data. Process injection reportedly uses VirtualAllocEx, WriteProcessMemory, and RtlCreateUserThread, with injection into existing or newly created hidden processes such as mspaint.exe or conhost.exe. The malware can add and remove Windows Firewall rules for its TCP server. Elastic also described additional injected modules within the FINALDRAFT kit, including modules for network enumeration, in-memory PowerShell execution with AMSI/ETW bypass, and a Pass-the-Hash capability inspired by Mimikatz. Older or alternate variants reportedly supported both Outlook and HTTP transport, and a Linux ELF variant was observed with transport options including HTTP/HTTPS, reverse UDP, ICMP, bind/reverse TCP, DNS, and Outlook via REST/Graph API.

FINALDRAFT has been observed as part of a broader toolkit that includes the PATHLOADER Windows loader and multiple submodules. PATHLOADER reportedly downloads AES-encrypted, Base64-encoded shellcode from typosquatted infrastructure over HTTPS, decrypts it, and executes it to load FINALDRAFT. Reported infrastructure included poster.checkponit[.]com and support.fortineat[.]com. FINALDRAFT configuration is stored as an encrypted blob and decrypted with an 8-byte derived key; reported derivation sources include the Windows ProductId registry value or a string adjacent to the blob. The malware generates a session identifier by hashing a random GUID with FNV, and C2 message content has been described as Base64(AES-CBC(Zlib(data))).

The malware is strongly associated with the China-aligned Jewelbug / Ink Dragon cluster. Multiple reports state the actor used FINALDRAFT in intrusions against government targets, including a South American foreign ministry and other government organizations in South America and Southeast Asia, and later against European government networks. Check Point described FINALDRAFT as a newer evolution of the same malware family as VARGEIT and reported its use alongside ShadowPad, Cobalt Strike, web shells, and IIS/SharePoint exploitation. In those campaigns, FINALDRAFT was used for exfiltration and lateral movement while blending into legitimate Microsoft cloud activity.

High-confidence indicators and artifacts directly mentioned in the content include the aliases Squidoor and Session.x64.dll for related variants/components; registry storage under SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UUID<uuid_from_configuration>; use of Outlook draft subjects formatted as r_<session-id> for commands and p_<session-id> for responses; default injection targets mspaint.exe and conhost.exe; logging by a related Jewelbug backdoor to C:\ProgramData\application.ini and creation of C:\Users\Public\Libraries~ in one South American government intrusion; and PATHLOADER C2 domains poster.checkponit[.]com and support.fortineat[.]com. FINALDRAFT also shares code lineage with NANOREMOTE, including reported code similarities and shared development patterns.