Program

/

CODE BLUE 2025

Time Table

Dissecting FINALDRAFT: Actionable Intel from a State-Sponsored Multi-Platform Backdoor

DAY 2

09:00-09:40

We’ve been tracking a sophisticated state-sponsored campaign since Feb 2025, targeting a South American foreign ministry before spreading to Southeast Asia. Our research uncovered novel malware families, notably a modular, cross-platform backdoor called FINALDRAFT, which uses Microsoft Graph API for C2. Despite its sophistication, the operators made key OPSEC errors, exposing infrastructure and pre-release malware.

We’ll present technical insights into the malware’s evolution, custom protocols, and FINALDRAFT’s modules for lateral movement, script execution, and enumeration. The campaign continues as we observe recent activity from April to June 2025 leveraging open-source tooling, obfuscation, and the use of both offensive security tools and highly obfuscated malware.

Tailored for researchers, SOCs, and AV vendors, this talk provides actionable intelligence and covers this group TTPs. A custom tool will be released to interact with the malware and aid detection development.

  • Location :

    • Track 1(HALL B)

  • Category :

    • CyberCrime

  • Share :

Speakers

  • サリム・ビタム の写真

    Salim Bitam

    サリム・ビタム

    Salim Bitam, a malware researcher and reverse engineer at Elastic Security Labs, specializes in analysing novel malware and crafting tools like configuration extractors and emulators. Additionally, he tracks threat groups to stay ahead of evolving cyber threats. His background includes roles in red/purple teams, where he developed custom malware and offensive tools.