Download EclecticIQ

AND CONTROL SERVER C2 Find the data for YARA RULESAbout EclecticIQ Intelligence & Research TeamEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.We would love to hear from you. Please send us your feedback by emailing us at [email protected] or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.Structured DataFind the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.TAXII v1 Discovery services: refer to our support page for guidance on how to access the feeds.You might also be interested in:Network Environment-Focused Conversations Needed in Approaches to Cyber SecurityEmotet Downloader Document Uses Regsvr32 for ExecutionAI Facial Recognition Used in Ukraine/Russia War Prone to VulnerabilitiesAppendix

Are very excited to have PolyLogyx founders Sridhar Jayanthi and Atul Kabra and the wider team joining us in shaping the future of intelligence-led security.The EclecticIQ co-founders Joep and Raymon with the PolyLogyx co-founders Sridhar & Atul. From Sridhar Jayanthi and Atul Kabra, PolyLogyx founders“How can we explain the poor state of cybersecurity in the world today after spending more than $1 trillion over two decades on technologies to protect enterprises and consumers?”This was the question and challenge staring at us a few years ago. We started PolyLogyx with a vision to help break the shackles of legacy suites that lock in customers into an average solution on the endpoint. Our idea of the next generation of endpoint security involved a modular Lego-style platform approach, with interchangeable modules that add functionality in endpoint security, threat detection or analyst enablement.We believe there is no better way of fighting sophisticated cyber threats than being agile and having access to best-in-class technology to combat threats in a timely fashion. We are sure that adaptability is key to thwarting the attacker in a dynamic threat landscape, and not a rigid stack without the value add of multiple security vendors and intelligence suppliers.The first step to achieving our vision has been PolyLogyx ESP, a next-generation intelligence-led endpoint detection and response (EDR) solution, using proprietary technologies built by extending the popular OSQuery agent. This gives us the ability to extend the platform easily, stay ahead of the threat and involve our community in providing new and innovative ways to detect and respond to evolving threats.From the outset of our partnership with EclecticIQ, we have been delighted to hear that Joep had a similar worldview of flexibility and openness.It was clear that combined, we will bring our visions of the future closer quickly. Joining forces with EclecticIQ will help us deliver our vision for intelligence-led detection, hunting and response for MSSP/MDR in new markets.Stay tuned for some exciting developments resulting from EclecticIQ and PolyLogyx joining forces.If you want to participate in the EclecticIQ XDR Beta program, sign up here.

Outgoing feed - Syslog push# Release History### Name: EclecticIQ Core Extension## 3.4.2**Added:**Release date: 06 February 2025* Now provides EclecticIQ Brand PDF Outgoing Feed## 3.5.0**Added:*** Update csv feeds to include risk score for extracts.## 3.2.5, 3.3.2Release date: 21 June 2024**Fixed:*** Issue with eclecticiq_json transformer when timestamp equals None## 2.14.6, 3.0.5, 3.1.6, 3.2.4, 3.3.1Release date: 5 April 2024**Updated:*** Introduce request timeout and retry for all request in RSS## 2.14.5, 3.0.4, 3.1.5, 3.2.3Release date: 12 February 2024**Updated:*** Now uses date in `updated` XML tag to decide whether to ingest article instead of `published` tag## 2.14.4, 3.1.3, 3.2.1Release date: 04 December 2023**Fixed:*** Issue where RSS incoming feed fix_timezone() couldn't handle datetime object## 2.14.2, 3.0.2, 3.1.2Release date: 07 November 2023**Fixed:*** Issue where RSS incoming feed always downloads all items from atom rss feeds, causing duplicate packages on every run. This allows us to also implicitly support Atom feeds.## 3.0.1Release date: 11 July 2023**Removed:*** Removes legacy IMAP Email attachment fetcher and IMAP Email fetcher incoming feeds.Use the newer IMAP Email attachment and body fetcher incoming feed instead.## 2.13.1 2.12.1**Changed:**- New defaults: SFTP download incoming feed now does not delete filesfrom the remote host on download. **Added:**- Now provides an option to delete files on download.## 2.9.3, 2.10.2Release date: 19 October, 2021**Changed:**- SFTP transport types for feedsnow requires the "SSH private key"field to be filled if "Use SSH key"option is selected.##Release versions: 2.9.2, 2.10.1Release date: 4 August, 2021Improved:* Added internal tests.##Release versions: 2.9.1, 2.10.0Release date: 15 June, 2021Fixed:* Issue where running SFTP download feeds can cause excessive resource usage.

Executive SummaryEclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation - a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.This report describes three distinct cases and adversary tactics, techniques, and procedures (TTPs). Analysts examined three different malware delivery techniques used in this campaign, including spear phishing with a TAR attachment that contains a malicious LNK file, a specially crafted Word document that can exploit CVE-2017-0199 to gain code execution without macros, and HTML smuggling. EclecticIQ researchers continue to actively monitor for activity related to the Gamaredon APT group. While monitoring this activity, analysts identified multiple key findings:Phishing emails were being used to deliver malware to the Security Service of Ukraine.In January 2023, EclecticIQ researchers observed English and Latvian-language phishing lures probably targeting NATO allies.Analysts assess that Culver Aviation (a Ukrainian aviation company) probably has been targeted by multiple phishing lures containing malicious Word documents that use the CVE-2017-0199 vulnerability, which is exploited to execute the malware on victim systems through specially crafted Word documents.According to open-source reporting, Culver Aviation Company provided multiple unmanned aerial vehicles (UAVs) to support Ukrainian troops in the region. This support highly likely has made the company a target in this latest cyberattack.Living off the Land Binaries (LOLBAS) such as MSHTA.exe were being actively abused by a Russian state-sponsored threat actor to download and execute the second stage of the malware.Case #1: Phishing Emails to Target the Security Service of Ukraine (SSU) Malware Execution FlowOn January 23rd, 2023, EclecticIQ analysts identified a phishing email - addressed to the Security Service of Ukraine - with an attached archive file (TAR). The TAR folder contained a malicious shortcut (LNK) file.Upon user click, the LNK file downloads and executes a second-stage malicious HTML application (HTA) from a remote address using MSHTA.exe.The threat actor appears to be using multiple techniques to limit who can access this URL outside of Ukraine. For example, the threat actor uses geo-blocking to limit downloads of this malicious file from other locations and blocks ExpressVPN and NordVPN nodes within Ukraine. It appears the threat actor is potentially conducting additional filtering to further control access to payloads.Figure 1 – Malware execution flow.The Attack Begins with a Phishing Email CampaignFigure 2 shows a recent phishing email with a malicious attachment probably targeting the Security Service of Ukraine (SSU). At the bottom of the email is the attached TAR file.Figure 2 – Example of Phishing email probably targeting SSU.Victim User Clicks on the Malicious Shortcut (LNK) FileWhen a victim user extracts the TAR file (as seen in figure 3) it contains the malicious LNK file with a Latvian phishing lure.Figure 3 – Content of malicious attachment translated to English from the Ukrainian language.LNKs are Windows shortcut files that can contain