{
	"id": "83b1f534-e5c5-4478-ac7c-84abfb0c7ea4",
	"created_at": "2026-04-06T00:15:43.34322Z",
	"updated_at": "2026-04-10T03:35:56.627323Z",
	"deleted_at": null,
	"sha1_hash": "00cedb0f829381e799a59ddc2fb39f5010e5ac1b",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67297,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:22:17 UTC\r\n APT group: Aggah\r\nNames Aggah (Palo Alto)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage, Financial gain\r\nFirst seen 2018\r\nDescription\r\n(Palo Alto) In March 2019, Unit 42 began looking into an attack campaign that\r\nappeared to be primarily focused on organizations within a Middle Eastern country.\r\nFurther analysis revealed that this activity is likely part of a much larger campaign\r\nimpacting not only that region but also the United States, and throughout Europe and\r\nAsia.\r\nOur analysis of the delivery document revealed it was built to load a malicious\r\nmacro-enabled document from a remote server via Template Injection. These macros\r\nuse BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download\r\nadditional scripts, which ultimately result in the final payload being RevengeRAT\r\nconfigured with a duckdns[.]org domain for C2. During our research, we found\r\nseveral related delivery documents that followed the same process to ultimately\r\ninstall RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs\r\nthroughout their attack campaign.\r\nInitially, we believed this activity to be potentially associated with the Gorgon\r\nGroup. Our hypothesis was based on the high level TTPs including the use of\r\nRevengeRAT. However, Unit 42 has not yet identified direct overlaps with other\r\nhigh-fidelity Gorgon Group indicators. Based on this, we are not able to assign this\r\nactivity to the Gorgon group with an appropriate level of certainty.\r\nIn light of that, Unit 42 refers to the activity described in this blog as the Aggah\r\nCampaign based on the actor’s alias “hagga”, which was used to split data sent to the\r\nRevengeRAT C2 server and was the name of one of the Pastebin accounts used to\r\nhost the RevengeRAT payloads.\r\nObserved Sectors: Automotive, Education, Government, Healthcare, Hospitality,\r\nManufacturing, Media, Retail, Technology.\r\nCountries: Austria, Bahrain, Brazil, Canada, China, Egypt, France, Germany, India,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830\r\nPage 1 of 3\n\nIreland, Israel, Italy, Japan, Norway, Romania, Russia, Saudi Arabia, South Korea,\nSpain, Sweden, Taiwan, UK, UAE, USA.\nTools used Agent Tesla, Aggah, NanoCore RAT, njRAT, RevengeRAT, Warzone RAT.\nOperations performed\nDec 2018\nOperation “Roma225”\nThe Cybaze-Yoroi ZLab researchers investigated a recent espionage\nmalware implant weaponized to target companies in the Italian\nautomotive sector. The malware was spread through well written\nphishing email trying to impersonate a senior partner of one of the\nmajor Brazilian business law firms: “Veirano Advogados”.\nJun 2019\nThe Evolution of Aggah: From Roma225 to the RG Campaign\nSep 2019\nDuring our threat monitoring activities, we discovered an interesting\ndrop chain related to the well-known Aggah campaign\nJan 2020\nRecently, during our Cyber Defence monitoring operations, we\nspotted other attack attempts directed to some Italian companies\noperating in the Retail sector.\nApr 2020\nUpgraded Aggah malspam campaign delivers multiple RATs\nMay 2020\nDuring our Cyber Threat Intelligence monitoring we spotted new\nmalicious activities targeting some Italian companies operating\nworldwide in the manufacturing sector, some of them also part of the\nautomotive production chain.\nMay 2020\nIn the past months since the Covid-19 outbreak, we have seen an\nenormous rise in mal-spam campaigns where hackers abuse the\npandemic to try and claim victims. One such campaign that we spotted\nis a new variant of a unique malware loader named ‘Aggah’.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830\nPage 2 of 3\n\nJul 2021\nAggah Using Compromised Websites to Target Businesses Across\nAsia, Including Taiwan Manufacturing Industry\nOct 2021\nNew Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency\nAddresses\nJun 2022\nOperation “Red Deer”\nInformation\nLast change to this card: 21 June 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830"
	],
	"report_names": [
		"showcard.cgi?u=19517715-8aad-4c96-8514-814d74e27830"
	],
	"threat_actors": [
		{
			"id": "414d7c65-5872-4e56-8a7d-49a2aeef1632",
			"created_at": "2025-08-07T02:03:24.7983Z",
			"updated_at": "2026-04-10T02:00:03.76109Z",
			"deleted_at": null,
			"main_name": "COPPER FIELDSTONE",
			"aliases": [
				"APT36 ",
				"Earth Karkaddan ",
				"Gorgon Group ",
				"Green Havildar ",
				"Mythic Leopard ",
				"Operation C-Major ",
				"Operation Transparent Tribe ",
				"Pasty Draco ",
				"ProjectM ",
				"Storm-0156 "
			],
			"source_name": "Secureworks:COPPER FIELDSTONE",
			"tools": [
				"CapraRAT",
				"Crimson RAT",
				"DarkComet",
				"ElizaRAT",
				"LuminosityLink",
				"ObliqueRAT",
				"Peppy",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "18278778-fa63-4a9a-8988-4d266b8c5c1a",
			"created_at": "2023-01-06T13:46:38.769816Z",
			"updated_at": "2026-04-10T02:00:03.094179Z",
			"deleted_at": null,
			"main_name": "The Gorgon Group",
			"aliases": [
				"Gorgon Group",
				"Subaat",
				"ATK92",
				"G0078",
				"Pasty Gemini"
			],
			"source_name": "MISPGALAXY:The Gorgon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd",
			"created_at": "2022-10-25T15:50:23.296989Z",
			"updated_at": "2026-04-10T02:00:05.347085Z",
			"deleted_at": null,
			"main_name": "Gorgon Group",
			"aliases": [
				"Gorgon Group"
			],
			"source_name": "MITRE:Gorgon Group",
			"tools": [
				"NanoCore",
				"QuasarRAT",
				"Remcos",
				"njRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53",
			"created_at": "2022-10-25T16:07:23.693797Z",
			"updated_at": "2026-04-10T02:00:04.711987Z",
			"deleted_at": null,
			"main_name": "Gorgon Group",
			"aliases": [
				"ATK 92",
				"G0078",
				"Pasty Draco",
				"Subaat",
				"TAG-CR5"
			],
			"source_name": "ETDA:Gorgon Group",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Atros2.CKPN",
				"Bladabindi",
				"CinaRAT",
				"Crimson RAT",
				"ForeIT",
				"Jorik",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"MSIL",
				"MSIL/Crimson",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Origin Logger",
				"Quasar RAT",
				"QuasarRAT",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"SEEDOOR",
				"Scarimson",
				"Socmer",
				"Yggdrasil",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434543,
	"ts_updated_at": 1775792156,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00cedb0f829381e799a59ddc2fb39f5010e5ac1b.pdf",
		"text": "https://archive.orkl.eu/00cedb0f829381e799a59ddc2fb39f5010e5ac1b.txt",
		"img": "https://archive.orkl.eu/00cedb0f829381e799a59ddc2fb39f5010e5ac1b.jpg"
	}
}