MalwareUsed by 1 actor

EchoGather RAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Eagle Werewolf

Malware Family EchoGather RAT Deployed via Telegram channels in Eagle Werewolf espionage campaign on Regxa (Iraq) infrastructure

via cyber security newscybersecuritynews.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence2

TacticInitial Access

A separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.

T1566.002Spearphishing LinkEvidence1

TacticInitial Access

used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.

Execution

2 techniques

T1059.003Windows Command ShellEvidence1

TacticExecution

0х54 Выполнение команды в интерпретаторе cmd.exe

T1204.002Malicious FileEvidence1

TacticExecution

Вредоносный исполняемый файл Регистрация_Starlink.exe является C#-дроппером... происходит извлечение и запуск вредоносной нагрузки — EchoGather RAT.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

TacticStealth

Дроппер содержит в ресурсах нагрузку (EchoGather), закодированную Base64 и зашифрованную алгоритмом XOR... вредоносный апплет appwiz.cpl, упакованный в UPX и обфусцированный с помощью Oreans Code Virtualizer.

T1036MasqueradingEvidence1

TacticStealth

BattleFlight-Install-v11.0.3.exe ... замаскированный под установщик симулятора для обучения пилотированию БПЛА... AlphaFlyInstallV1-2.msi замаскирован под установщик приложения-симулятора...

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

EchoGather проверяет запуск в виртуальной среде следующим образом: сверка имени компьютера... измерение времени выполнения CPU-операций... проверка реального времени сна программы... размер диска C:\ — меньше 20 ГБ.

Discovery

2 techniques

T1082System Information DiscoveryEvidence1

TacticDiscovery

EchoGather собирает следующие данные: локальные IP-адреса, разрядность системы, название компьютера, имя пользователя, информацию о конфигурации рабочей станции...

T1497Virtualization/Sandbox EvasionEvidence1

TacticsStealth Discovery

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence2

TacticCommand and Control

more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months.

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

После этого происходит обращение к C2-серверу в бесконечном цикле... HTTPS POST... AquilaRAT ... обращение к hxxps://servupdate[.]net/array/array9.json ...

T1105Ingress Tool TransferEvidence2

TacticCommand and Control

EchoGather RAT ожидает от C2-сервера следующие команды... 0х57 Загрузка файла с C2-сервера на хост.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

Информация о системе кодируется в Base64 и отправляется на C2-сервер в запросе HTTPS POST.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app13 days ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyber security newsNews

May 22, 2026

Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations

A remote access trojan deployed via Telegram channels in the Eagle Werewolf espionage campaign.

security affairsNews

May 22, 2026

One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure

Remote access trojan used in a multi-stage espionage campaign, delivered via Telegram channels and phishing pages.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.