What We Can Learn from The New Malware Abusing Microsoft

In 2025, security researchers are seeing an unprecedented number of API and AI breaches, risks, and vulnerabilities across the board. In fact, many researchers have predicted that this trend will only rise, as new attacks and attack vectors alike emerge with the development of AI and other technologies that can fast track malicious activity.

One such new attack method was discovered just this past week- a new type of malware developed by an unnamed group, in what was believed to be an attempt to target South American and/or South East Asian foreign ministries.

However, this malware was quickly used to exploit Microsoft’s Graph API as well. We’ve written before about how Microsoft’s Graph API has had vulnerabilities and issues in early 2024. But nearly a year later, new attacks are hitting it from all sides, including the recent malware attack from a still-unnamed adversary, unlike any attack Microsoft had ever seen.

The attack:

In late 2024, security researchers noticed “a tight cluster of endpoint behavioral alerts within [a South American] country’s Foreign Ministry.” The motive is currently believed to be espionage, but fortunately, the campaign exhibited “inconsistent evasion tactics” which allowed researchers to catch on before critical information was breached. However, the novel malware methods used still raise a lot of concerns.

The malware primarily consisted of two components: a loader and a backdoor.

The loader in question was “Pathloader,” a Windows file that executes encrypted shellcode on a remote server covertly. 

The backdoor was FinalDraft, malware that carries out data exfiltration and process injection and then forwards the output to a C2 server.

The attackers used the Outlook mail service via Microsoft Graph API to communicate. The API requires a login token, which FinalDraft malware was able to capture.

And this is only the beginning- a report by Symantec in 2024 highlighted a growing number of malicious actors abusing the Microsoft Graph API via hidden communication.

Implications

In 2025’s chaotic cyber climate, new risks are emerging every day. We are seeing not only an increase in the volume of attacks, but also in the novel attack methods attackers are developing. 

The malware family that bad actors used to leverage Microsoft’s GraphAPI, although ultimately unsuccessful, opens the door for hackers to launch similar attacks against APIs and related technologies, when attacks were already on the rise even outside of this. And Microsoft is far from the only one at risk. All CISOs and security teams need to be aware of the new types of malware emerging, and the new attack surfaces that are being introduced into their infrastructure every day through new strategies like AI initiatives. 

But keeping up with rising threats such as these is no easy task. That’s where FireTail comes in. FireTail is an end-to-end cybersecurity platform with features to simplify your AI and API security, for better overall visibility, understanding, and control of your security posture. 

Try it out for free here, or book a free, 30-minute demo today! And keep up with breaches and vulnerabilities like this one with FireTail's AI Breach Tracker and API Breach Tracker.