1 malware family

REF2924

Also known asREF2924

REF2924 is an intrusion set tracked by Elastic Security Labs and assessed as state-sponsored and espionage-motivated based on observed targeting and post-exploitation collection activity. Elastic assessed with moderate confidence that REF2924 is a regional threat group with non-monetary motivations, and linked it along technical, tactical, and victim-targeting lines to Winnti Group and ChamelGang. Reported targeting includes the Foreign Affairs Office or Foreign Ministry of an ASEAN member state, telecommunications providers in Afghanistan, and possible targeting of Mongolian government or NGO entities. Malware and tooling associated with REF2924 include DOORME, SIESTAGRAPH, and SHADOWPAD, with additional co-resident malware later observed in related environments including NAPLISTENER, SOMNIRECORD, and COBALTSTRIKE. DOORME is a malicious IIS backdoor deployed on internet-facing web or Exchange servers. It authenticates via a specific HTTP cookie value, inspects inbound requests early in the IIS pipeline, and supports in-memory shellcode execution, including chunked shellcode staging and named-pipe interaction with executed payloads. SIESTAGRAPH is a .NET backdoor that abuses Microsoft Graph API and Microsoft 365 services for command and control, including Outlook draft messages and OneDrive, blending malicious traffic with legitimate cloud activity. It supports shell execution, file upload and download, drive and directory listing, file deletion and renaming, process listing and killing, network discovery, screenshots, sleep changes, and self-termination. SHADOWPAD was observed delivered through DLL sideloading using an old Bitdefender Crash Handler binary, with encrypted shellcode stored in the registry and later executed from RWX memory. Elastic observed REF2924 activity including mailbox collection from an internet-connected Microsoft Exchange server at the Foreign Affairs Office of an ASEAN member in December 2022, and identified identically configured DOORME backdoors on telecommunications providers in Afghanistan. Elastic also linked REF2924-related campaigns to Winnti and ChamelGang based on shared malware, file names, techniques, victimology, and strategic targeting priorities.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Telecommunication Services

Where they target

Geographies tied to known operations.

🇦🇫 Afghanistan

MITRE ATT&CK

Tradecraft

18 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics25 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.003

Windows Command Shell

T1106

Native API

TA0003

Persistence

3 techniques

T1112

Modify Registry

T1505

Server Software Component

T1505.003

Web Shell

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0004

Privilege Escalation

2 techniques

T1055

Process Injection

T1543

Create or Modify System Process

T1543.003

Windows Service

TA0005

Stealth

3 techniques

T1027

Obfuscated Files or Information

T1027.007

Dynamic API Resolution

T1055

Process Injection

T1218

System Binary Proxy Execution

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0007

Discovery

4 techniques

T1046

Network Service Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

1 technique

T1113

Screen Capture

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1071.003

Mail Protocols

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SIESTAGRAPHWe first observed this type of third-party C2 in SIESTAGRAPH, which we reported in December 2022.1Jun 14, 2026

IOCS

Observables

24 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

24 IOCsView more in app

Domains

8 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru

hash.sha256

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

2 total

•••••••••••••••••

uri

2 total

•••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

sentinelone labsNews

Apr 11, 2025

WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks | SentinelOne

Intrusion set referenced for using the SIESTAGRAPH backdoor to access Microsoft 365 Mail via the Microsoft Graph API for command-and-control while targeting the Foreign Affairs Office of an ASEAN member.

elastic security labsNews

Feb 13, 2025

From South America to Southeast Asia: The Fragile Web of REF7707 - Elastic Security Labs

A previously reported activity cluster involving an attack on a Southeast Asian foreign ministry and notable for abuse of Microsoft Graph API for command and control.

elastic security labsNews

Oct 4, 2023

Introducing the REF5961 intrusion set - Elastic Security Labs

China-nexus espionage intrusion set targeting government diplomatic entities in ASEAN and likely Mongolian government or NGO victims. Associated with multiple malware families and post-exploitation collection activity.

elastic security labsNews

Feb 7, 2023

Update to the REF2924 intrusion set and related campaigns - Elastic Security Labs

Intrusion set associated with DOORME, SIESTAGRAPH, and SHADOWPAD, assessed as a nationally aligned group with non-monetary motivations targeting foreign ministry and telecommunications environments.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping18

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables24

Domains, IPs, and hashes tied to this actor, refreshed continuously.