Download EclecticIQ

AND CONTROL SERVER C2 Find the data for YARA RULESAbout EclecticIQ Intelligence & Research TeamEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.Structured DataFind the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.TAXII v1 Discovery services: refer to our support page for guidance on how to access the feeds.You might also be interested in:Network Environment-Focused Conversations Needed in Approaches to Cyber SecurityEmotet Downloader Document Uses Regsvr32 for ExecutionAI Facial Recognition Used in Ukraine/Russia War Prone to VulnerabilitiesAppendix

Are very excited to have PolyLogyx founders Sridhar Jayanthi and Atul Kabra and the wider team joining us in shaping the future of intelligence-led security.The EclecticIQ co-founders Joep and Raymon with the PolyLogyx co-founders Sridhar & Atul. From Sridhar Jayanthi and Atul Kabra, PolyLogyx founders“How can we explain the poor state of cybersecurity in the world today after spending more than $1 trillion over two decades on technologies to protect enterprises and consumers?”This was the question and challenge staring at us a few years ago. We started PolyLogyx with a vision to help break the shackles of legacy suites that lock in customers into an average solution on the endpoint. Our idea of the next generation of endpoint security involved a modular Lego-style platform approach, with interchangeable modules that add functionality in endpoint security, threat detection or analyst enablement.We believe there is no better way of fighting sophisticated cyber threats than being agile and having access to best-in-class technology to combat threats in a timely fashion. We are sure that adaptability is key to thwarting the attacker in a dynamic threat landscape, and not a rigid stack without the value add of multiple security vendors and intelligence suppliers.The first step to achieving our vision has been PolyLogyx ESP, a next-generation intelligence-led endpoint detection and response (EDR) solution, using proprietary technologies built by extending the popular OSQuery agent. This gives us the ability to extend the platform easily, stay ahead of the threat and involve our community in providing new and innovative ways to detect and respond to evolving threats.From the outset of our partnership with EclecticIQ, we have been delighted to hear that Joep had a similar worldview of flexibility and openness.It was clear that combined, we will bring our visions of the future closer quickly. Joining forces with EclecticIQ will help us deliver our vision for intelligence-led detection, hunting and response for MSSP/MDR in new markets.Stay tuned for some exciting developments resulting from EclecticIQ and PolyLogyx joining forces.If you want to participate in the EclecticIQ XDR Beta program, sign up here.

Outgoing feed - Syslog push# Release History### Name: EclecticIQ Core Extension## 3.4.2**Added:**Release date: 06 February 2025* Now provides EclecticIQ Brand PDF Outgoing Feed## 3.5.0**Added:*** Update csv feeds to include risk score for extracts.## 3.2.5, 3.3.2Release date: 21 June 2024**Fixed:*** Issue with eclecticiq_json transformer when timestamp equals None## 2.14.6, 3.0.5, 3.1.6, 3.2.4, 3.3.1Release date: 5 April 2024**Updated:*** Introduce request timeout and retry for all request in RSS## 2.14.5, 3.0.4, 3.1.5, 3.2.3Release date: 12 February 2024**Updated:*** Now uses date in `updated` XML tag to decide whether to ingest article instead of `published` tag## 2.14.4, 3.1.3, 3.2.1Release date: 04 December 2023**Fixed:*** Issue where RSS incoming feed fix_timezone() couldn't handle datetime object## 2.14.2, 3.0.2, 3.1.2Release date: 07 November 2023**Fixed:*** Issue where RSS incoming feed always downloads all items from atom rss feeds, causing duplicate packages on every run. This allows us to also implicitly support Atom feeds.## 3.0.1Release date: 11 July 2023**Removed:*** Removes legacy IMAP Email attachment fetcher and IMAP Email fetcher incoming feeds.Use the newer IMAP Email attachment and body fetcher incoming feed instead.## 2.13.1 2.12.1**Changed:**- New defaults: SFTP download incoming feed now does not delete filesfrom the remote host on download. **Added:**- Now provides an option to delete files on download.## 2.9.3, 2.10.2Release date: 19 October, 2021**Changed:**- SFTP transport types for feedsnow requires the "SSH private key"field to be filled if "Use SSH key"option is selected.##Release versions: 2.9.2, 2.10.1Release date: 4 August, 2021Improved:* Added internal tests.##Release versions: 2.9.1, 2.10.0Release date: 15 June, 2021Fixed:* Issue where running SFTP download feeds can cause excessive resource usage.

Executive SummaryEclecticIQ researchers observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation - a Ukrainian aviation company. Multiple overlaps between these incidents and previous attacks of the Gamaredon APT group (4), such as command and control infrastructures and adversary techniques, helped analysts to highly likely attribute these latest attacks to the Gamaredon group.This report describes three distinct cases and adversary tactics, techniques, and procedures (TTPs). Analysts examined three different malware delivery techniques used in this campaign, including spear phishing with a TAR attachment that contains a malicious LNK file, a specially crafted Word document that can exploit CVE-2017-0199 to gain code execution without macros, and HTML smuggling. EclecticIQ researchers continue to actively monitor for activity related to the Gamaredon APT group. While monitoring this activity, analysts identified multiple key findings:Phishing emails were being used to deliver malware to the Security Service of Ukraine.In January 2023, EclecticIQ researchers observed English and Latvian-language phishing lures probably targeting NATO allies.Analysts assess that Culver Aviation (a Ukrainian aviation company) probably has been targeted by multiple phishing lures containing malicious Word documents that use the CVE-2017-0199 vulnerability, which is exploited to execute the malware on victim systems through specially crafted Word documents.According to open-source reporting, Culver Aviation Company provided multiple unmanned aerial vehicles (UAVs) to support Ukrainian troops in the region. This support highly likely has made the company a target in this latest cyberattack.Living off the Land Binaries (LOLBAS) such as MSHTA.exe were being actively abused by a Russian state-sponsored threat actor to download and execute the second stage of the malware.Case #1: Phishing Emails to Target the Security Service of Ukraine (SSU) Malware Execution FlowOn January 23rd, 2023, EclecticIQ analysts identified a phishing email - addressed to the Security Service of Ukraine - with an attached archive file (TAR). The TAR folder contained a malicious shortcut (LNK) file.Upon user click, the LNK file downloads and executes a second-stage malicious HTML application (HTA) from a remote address using MSHTA.exe.The threat actor appears to be using multiple techniques to limit who can access this URL outside of Ukraine. For example, the threat actor uses geo-blocking to limit downloads of this malicious file from other locations and blocks ExpressVPN and NordVPN nodes within Ukraine. It appears the threat actor is potentially conducting additional filtering to further control access to payloads.Figure 1 – Malware execution flow.The Attack Begins with a Phishing Email CampaignFigure 2 shows a recent phishing email with a malicious attachment probably targeting the Security Service of Ukraine (SSU). At the bottom of the email is the attached TAR file.Figure 2 – Example of Phishing email probably targeting SSU.Victim User Clicks on the Malicious Shortcut (LNK) FileWhen a victim user extracts the TAR file (as seen in figure 3) it contains the malicious LNK file with a Latvian phishing lure.Figure 3 – Content of malicious attachment translated to English from the Ukrainian language.LNKs are Windows shortcut files that can contain

Following the news that EclecticIQ and PolyLogyx are joining forces, we are giving the CEOs of both companies the opportunity to describe in their own words how this deal came about and what this new alliance means for the future.From Joep Gommers, CEO, EclecticIQWe are excited to announce that PolyLogyx will be joining forces with us. As the creator of next-generation endpoint threat detection and response technologies, PolyLogyx brings valuable expertise to our team, and helps us to execute on our mission to put intelligence at the core of cybersecurity.At EclecticIQ, we connect people and teams to work more effectively around cyber threats. We’re also committed to connecting communities and supply chains to ensure the same threats aren’t faced in isolation.We're passionate about helping our customers implement intelligence-led cybersecurity and integrating threat intelligence to augment cybersecurity. By joining forces with PolyLogyx, we are bringing onboard the capabilities to re-imagine detection, hunting and response to sophisticated threats.When I first spoke with Sridhar and Atul, we quickly aligned on a worldview that has continued to shape our collaboration:Endpoint and cloud protection is traditionally focused on preventing the most common cyber threats. With the complexity of today’s IT environments, full protection is impossible without business disruption. To ensure detection, hunting and response to tomorrow’s sophisticated threats, we have to lower the barrier to visibility in endpoints and cloud workloads. And we must re-imagine how threat intelligence is applied at the core – going well beyond the traditional indicators of compromise.Open and extendable architectures are required to handle the diversity of different security models seen in the market. Instrumentation of endpoints and cloud workloads to gain visibility in security telemetry is a commodity. The real difference is made in how it integrates in the entire security architecture and how well we can detect, hunt for and respond to cyber threats. Our customers should pay for what makes the difference.As more and more threat-facing security solutions consolidate, we observe a challenge for security teams, governments and MSSPs/MDRs to stay relevant in threat intelligence, hunting and response. We believe strongly in the value add of each threat hunter, security analyst and incident responder and we should strive to enable and connect them – not automate them away or shut them out of the operations that secure their organizations.It is my absolute pleasure to welcome the PolyLogyx team, customers and user community to the EclecticIQ family. We

Against social engineering.Always deploy the highest level of protection on your firewall and endpoints. In particular: - Ensure the firewall has TLS 1.3 inspection, next-gen IPS, and streaming DPI with machine learning and sandboxing for protection from the latest threats.- Ensure endpoints have modern next-gen protection capabilities to guard against downloading malicious files from untrusted sources.MITRE ATT&CKTactic: TechniqueATT&CK CodeExecution: User Execution Malicious FileT1204Execution: Exploitation for Client ExecutionT1203Defense Evasion: Deobfuscate/Decode Files or InformationT1140Defense Evasion: Masquerading Double File ExtensionT1036.007Defense Evasion: System Binary Proxy Execution MshtaT1218.005Defense Evasion: HTML SmugglingT1027.006Command and Control: Web ProtocolsT1071.001Initial Access: Spearphishing AttachmentT1566.001Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001Persistence: Scheduled TaskT1053.005Hunting Resources: Live Queries & Yara RulesAbout EclecticIQ Intelligence & Research TeamEclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.You might also be interested in:QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security FeatureSecurity Service of Ukraine and NATO Allies Potentially Targeted by Russian State-Sponsored Threat ActorMustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX MalwareAppendix