NetDraft
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor)... ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin... Solar... has given it the name LuckyStrike Agent.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor)... ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin... Solar... has given it the name LuckyStrike Agent.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor)... ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin... Solar... has given it the name LuckyStrike Agent.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor)... ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin... Solar... has given it the name LuckyStrike Agent.
Notable among the malware families is a .NET-based backdoor dubbed NetDraft (aka NosyDoor), a C# variant of FINALDRAFT (aka Squidoor)... ESET is tracking the use of NosyDoor to a group it calls LongNosedGoblin... Solar... has given it the name LuckyStrike Agent.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniquesThe script may be persisted to collect system information via a scheduled task... schtasks /create ... Since NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2 issues to it is the creation of a malicious scheduled task
NetDraft and FringePorch support the following functionalities: Execute arbitrary commands on the endpoint ... CloudSorcerer v3 ... execute arbitrary commands
Persistence
1 techniqueThe script may be persisted to collect system information via a scheduled task... schtasks /create ... Since NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2 issues to it is the creation of a malicious scheduled task
Privilege Escalation
1 techniqueThe script may be persisted to collect system information via a scheduled task... schtasks /create ... Since NetDraft is missing the capability to persist across reboots and relogins, one of the first commands the C2 issues to it is the creation of a malicious scheduled task
Command and Control
1 techniqueFINALDRAFT uses legitimate services such as MS Graph to act as command-and-control servers (C2s)... NetDraft relies on the MS Graph API to communicate with its OneDrive based C2... CloudSorcerer v3 will contact GitHub to obtain C2 information... or read a GameSpot profile
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
.NET-based backdoor delivered via DLL side-loading. A benign executable loads a malicious DLL-based loader, which decodes and runs NetDraft in an existing process. It uses the Microsoft Graph API to communicate with a OneDrive-based command-and-control server to blend into normal cloud traffic.
.NET-based backdoor and C# variant of FINALDRAFT/Squidoor used in post-exploitation by China-aligned threat actors.
A .NET/C# backdoor that uses the MS Graph API and a OneDrive-based C2. It is deployed via DLL sideloading, supports command execution, file upload/download, file management, execution of .NET assemblies/plugins, and commonly establishes persistence via scheduled tasks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.