Skip to main content
Mallory
Back to threat actors
5 malware families

Eagle Werewolf

Also known asEagle Werewolf

Eagle Werewolf is an espionage-focused threat cluster tracked as active since at least May 2023. According to the provided reporting, it primarily targets state organizations, industrial companies, and individuals involved in drone/UAV manufacturing and engineering. Activity linked to the cluster was identified in February 2026 in a Starlink device registration-themed campaign, and related infrastructure hosted on Iraq-based Regxa was associated with phishing lures themed around Starlink registration and drone training. The cluster uses phishing and compromised Telegram channels for initial access and malware delivery. In the February 2026 activity, Eagle Werewolf distributed a ZIP archive containing a Rust dropper disguised as a Starlink activation or checklist application. The Rust dropper, built with the Tauri framework, decrypted and launched a Go dropper, registered the victim machine with command-and-control infrastructure, and collected Starlink-related victim data through its GUI. The Go dropper unpacked scripts and binaries, created a hidden local user with a generated password, attempted to add that user to the Administrators group, hid the account from the Windows logon screen, and prepared SSH tunnel configuration. It deployed AquilaRAT as the MicrosoftOfficeUpdate service and supported SSH tunneling through Go2Tunnel. AquilaRAT is described in the content as a previously undocumented Rust RAT/backdoor that communicated with infrastructure including updateserv[.]net and servupdate[.]net, polled its C2 regularly, and supported heartbeat, command execution, file upload, file scanning, and related remote access tasks. Go2Tunnel registered with C2 at 145.223.70[.]69 to obtain tunnel parameters and launched a reverse SSH tunnel to expose local port 22. The malware arsenal directly associated with Eagle Werewolf in the content includes a Rust dropper, a Go dropper, Go2Tunnel, and AquilaRAT. No additional aliases or sub-groups beyond Eagle Werewolf are directly provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration
  • Capital Goods
  • Military
MITRE ATT&CK

Tradecraft

28 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics40 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566×3
Phishing
T1566.002
Spearphishing Link
T1566.003
Spearphishing via Service
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001×3
PowerShell
T1059.003×3
Windows Command Shell
T1204
User Execution
T1204.002×3
Malicious File
TA0003
Persistence
4 techniques
T1098
Account Manipulation
T1098.007
Additional Local or Domain Groups
T1112
Modify Registry
T1136
Create Account
T1136.001×3
Local Account
T1543
Create or Modify System Process
T1543.003×3
Windows Service
TA0004
Privilege Escalation
2 techniques
T1098
Account Manipulation
T1098.007
Additional Local or Domain Groups
T1543
Create or Modify System Process
T1543.003×3
Windows Service
TA0005
Stealth
5 techniques
T1027×3
Obfuscated Files or Information
T1027.013×2
Encrypted/Encoded File
T1036×4
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
T1140
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1564.002×3
Hidden Users
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0007
Discovery
2 techniques
T1082×3
System Information Discovery
T1083×3
File and Directory Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004×3
SSH
TA0009
Collection
2 techniques
T1005
Data from Local System
T1560×3
Archive Collected Data
TA0011
Command and Control
3 techniques
T1071×2
Application Layer Protocol
T1071.001×3
Web Protocols
T1090
Proxy
T1090.002×3
External Proxy
T1105×4
Ingress Tool Transfer
TA0010
Exfiltration
1 technique
T1041×2
Exfiltration Over C2 Channel
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
AquilaRATMicrosoftOfficeUpdate.exe is a previously undocumented Rust RAT, which we named AquilaRAT.5May 26, 2026
Go2TunnelEagle Werewolf’s arsenal includes the following malware: C# dropper (used in previous campaigns) Rust dropper Go dropper Go2Tunnel (SSH tunneling tool) AquilaRAT3May 26, 2026
EchoGather RATMalware Family EchoGather RAT Deployed via Telegram channels in Eagle Werewolf espionage campaign on Regxa (Iraq) infrastructure2May 25, 2026
SoullessRATMalware Family SoullessRAT Delivered via fake AlphaFly installer in Eagle Werewolf multi-stage attack chain2May 25, 2026
SliverThe multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.1May 22, 2026
IOCS

Observables

64 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

64 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
May 22, 2026
Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations

Espionage campaign using Iraqi Regxa hosting to deploy multiple RATs through phishing lures themed around Starlink registration and drone training.

Read more
security affairsNews
May 22, 2026
One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure

Espionage campaign targeting state and industrial entities using Starlink registration and drone training lures, supported by C2 infrastructure hosted on Regxa.

Read more
bi zoneNews
Apr 16, 2026
Unholy trinity: werewolves target law enforces | Learn more

Espionage-focused cluster targeting state entities, industrial firms, and drone-related individuals using phishing emails and compromised Telegram channels to deliver Rust and Go droppers, Go2Tunnel, and AquilaRAT.

Read more
bi zoneNews
Apr 16, 2026
Unholy trinity: werewolves target law enforcers | by BI.ZONE | Apr, 2026 | Medium

Espionage cluster targeting state organizations, industrial companies, and individuals involved in drone manufacturing and engineering through targeted phishing, compromised Telegram channels, and multi-stage Rust/Go malware chains deploying AquilaRAT and Go2Tunnel.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping28

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables64

Domains, IPs, and hashes tied to this actor, refreshed continuously.