{
	"id": "de07851b-b8d9-4f48-95ff-e152ddb21931",
	"created_at": "2026-04-06T00:10:32.12382Z",
	"updated_at": "2026-04-10T03:33:12.457683Z",
	"deleted_at": null,
	"sha1_hash": "512bbcf8e7a6bda696ed3afa7aa87e5cbf2cedd9",
	"title": "Aghast at Aggah: Teasing Security Controls with Advanced Evasion Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 312234,
	"plain_text": "Aghast at Aggah: Teasing Security Controls with Advanced\r\nEvasion Techniques\r\nBy Ben GrossThreat Researcher\r\nPublished: 2020-05-25 · Archived: 2026-04-05 13:21:45 UTC\r\nIn the past months since the Covid-19 outbreak, we have seen an enormous rise in mal-spam campaigns where\r\nhackers abuse the pandemic to try and claim victims. One such campaign that we spotted is a new variant of a\r\nunique malware loader named ‘Aggah’.\r\nAggah is a fileless multi-stage malware loader which utilizes dual-use tools along with free and open web hosting\r\nservices such as Bitly and Pastebin to hold its resources. Most of these resources hold HTA scripts with embedded\r\nPowerShell scripts that run one after the other, until the drop of the final payload which in our case was one of the\r\nfollowing spyware strains:\r\nAgent Tesla\r\nRemcos RAT\r\nNanoCore RAT\r\nA previous campaign, with similar characteristics, was recently published by Talos in April where they observed a\r\nmalspam campaign that was used to distribute remote access trojans (RATs). In their discovery they noted that the\r\ninfection chain was highly versatile and could be adapted towards different malware payloads. The attackers were\r\nalso using publicly available infrastructure, like Bitly and Pastebin to direct and host the attack components.\r\nHighlights\r\nThe use of Pastebin URLs to store the resources of the malware is used as a fileless technique. Almost all Aggah’s\r\nPowerShell scripts will be written into the registry as MSHTA commands with a Pastebin URL. This means that\r\nduring the attack sequence there are no malicious binaries written to the disk, making the attack fully fileless.\r\nIn this new variant of Aggah, we have seen some interesting behavior not only from a technical point of view but\r\nwhat appears to be a veiled attempt at self-expression. Strings extracted from analyzed files reveal traces of the\r\nmalware author. It seems the author of Aggah is trying to provoke security researchers by leaving conspicuous\r\ncode variables and strings such as:\r\n` iwannajoinuiwannaleavedsshit`, `iwannaleftsellingtools`, `iamreasearcher`\r\nImage: Extracted strings from Aggah\r\nThe following section of the blog will describe in detail the infection flow of the malware.\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 1 of 9\n\nImage: Full infection chain\r\nStage 1:\r\nAggah is distributed by Microsoft Office documents with malicious VBA macros in them. In this campaign we\r\nhave seen several PowerPoint presentations, some with Covid-19 related names, and others are invoices. The\r\npresentations are usually empty of content, besides a short and simple VBA macro that uses a StrReverse function\r\nto evade basic detection by AV products. Once opened it downloads the next stage of the malware via the “Shell”\r\ncommand.\r\nImage: VBA code embedded in the ppt\r\nStage 2:\r\nThe Bitly URL at stage one will redirect to a Pastebin page which holds a VBScript, the second stage of the\r\ninfection.\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 2 of 9\n\nThe second stage is carried out as follows:\r\n1) Runs stage three of the malware by the command: (its role will be mentioned as ‘Stage 3’)\r\nImage: MSHTA command that will execute the VBScript from Pastebin content\r\n2) Run a scheduled task that will execute -1- every 80 minutes\r\n3) Set several autorun registry keys by using the command:\r\nImage: Example of a registry key that is written\r\nThe registry key’s content point to yet more several different Pastebin pages that hold more VBScripts with the\r\nfollowing functionalities:\r\na) Bitcoin Hijacker\r\nb) WMI object that will run the content of one of the registry keys\r\nc) .NET binary used for elevating privileges (optional)\r\nBitcoin Hijacker, which has not yet been publicly reported, is a simple clipboard hijacker, which uses regex to\r\nsearch for copied clipboard addresses and replace it with one of four hardcoded bitcoin addresses of the attacker.\r\nImage: Bitcoin Hijacker\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 3 of 9\n\nb) Run one of the registry autorun keys that was set previously via WMI. Usually it is the Bitcoin Hijacker, it\r\nvaries between different samples and sometimes points to a Pastebin URL with no content at all.\r\nc) .NET binary which uses CMSTP.exe technique. CMSTP.exe is a command-line program that accepts an INF\r\nfile and installs it as a leveraged service. Aggah uses this technique by extracting an INF file from the binary\r\nresources and uses it for privilege escalation and AV evasion. It does so by setting various registry keys and\r\nensuring that the process is running with elevated privileges. Some of its capabilities are:\r\nUAC bypass\r\nDisable Microsoft Office security mechanisms\r\nExclude certain processes from Windows Defender scans\r\nSet Windows Defender preferences\r\nImage: .NET binary which uses CMSTP.exe\r\nImage: Set Windows Defender registry keys\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 4 of 9\n\nImage: Set MpPrefernce PowerShell command to disable Windows Defender feature\r\nStage 3:\r\nPart -1- at stage two will execute a VBScript which will create a registry key, set its content with a PowerShell\r\nscript and execute it via WMI. The PowerShell script is responsible for loading three binaries into memory:\r\n1) AMSI (Antimalware Scan Interface) bypass DLL\r\n2) .NET based DLL which loads the RATs payload by its own exported functions\r\n3) Execute the malware payload by Injecting it to a benign process (e.g InstallUtil.exe)\r\nThe PowerShell script holds a couple of byte blobs that will get decoded and decompressed to reveal the 2 DLLs.\r\nThey will be used by the malware for both AV evasion and as the final payload dropper.\r\nImage: Decompress function\r\n1) AMSI bypass DLL: AMSI which is a Windows interface that allows applications and services to integrate with\r\nany antimalware products present on a machine. After bypassing AMSI the attacker will be able to elevate\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 5 of 9\n\nprivileges such as: UAC, PowerShell scripts, VBScripts and more.\r\n2) .NET injector DLL which is used as the main loader of the RAT's payload. The Injector DLL will use its own\r\nAPI to load the RATs payload into a legitimate process after it is being downloaded and decoded, by creating a\r\nsuspended process and injecting the malware payload to it using process-hollowing. In this campaign we have\r\nmainly seen the use of InstallUtil.exe as the benign process that will be hollowed and injected into. InstallUtil.exe\r\nis a legitimate Windows software for installing server resources, which is simply used as a host for the malware\r\npayload.\r\nImage: PowerShell function that will drop the DLLs and load Aggah payload rOnAlDo and ChRiS - part of\r\nStage 4 – Aggah payload:\r\nThe payload of Aggah might be any kind of malware, in this campaign Aggah authors use Agent Tesla and\r\nRemcos RAT as their final payload. However, it is this versatility that heightens the risk potential of Aggah to\r\norganizations, as it can be used to load many different types of malware.\r\nEvidence of a Hidden Creator\r\nSince Aggha’s emergence in December 2019, it has undergone several updates and changes in its capabilities, the\r\nimplication being that there is a team behind its development that continues to work on it and improve it. Aggah’s\r\nprovocation directed to the security community appears to be an attempt to build their presence and gain\r\nrecognition among hacker forums and Twitter, which has become a significant platform for security researchers\r\nand malware authors alike.\r\nAggah is indeed a complex malware that utilizes several dual-use tools such as PowerShell, MSHTA and CMSTP\r\nin order to infiltrate a system, and attack through a fileless attack sequence. This may be a serious threat for\r\norganizations as it has successfully bypassed many next-gen security products.\r\nUsing its advanced Deep Learning-based static analysis and behavioral capabilities, customers of Deep Instinct\r\ncan rest assured that they have protection against Aggah as the attack is detected and prevented in a matter of\r\nmilliseconds.\r\nIOCs:\r\nAggah samples:\r\n64b46aeb798cf62e8636e740d5c96d07923b65f62ce9a81faa8e877943a6a57f\r\nb7548ad92bd01edd1aadca4aceb01a8befb1da9146fbf71c698076569566d6a1\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 6 of 9\n\nf509581a106b34bc73fa6f3caeaa31896cbb9af5f5a3e42fc9cce546aaf2e50d\r\nfe38e708808c0e0b056c87c363b262727cde923a2e4e9e3831975b9c892067bd\r\n263ccf468bdec8392d6601fd9c5546b456fa29976ec77f2fb3fa17ebf4ce664d\r\nd8fd90f98df5d6066dd0fb362f44efe04cab8aa6f2170f60e2c5354bc3e07c7c\r\n8cdc300e6639b8aa39aa7df1a2c281c2037ff1f8bf72dd173c958bcbe90b957e\r\n6395297bafa84cc5d476a73fc5a432b62d9a50fa3ba14daf5eb63a91ddd897df\r\nd62703021426ed717fb6f1bfdb39915a4437f5ff0d41220b1194f560de98732d\r\n7a0fba12023cc29430be6503782e60c51bafe840097e44d1d99bd06a71c80d0c\r\n4e359fd4c6593422398344a7a725630865ab0fc9f43ea9187aeb9e03f8f8d07e\r\nAggah dropped binaries:\r\ne4d14ba73670184066a00cf5d3361580f6c4fbc5d0862a90278d82e95426faa5\r\n8ed29945294e0ba0ae9d5c94c3871dfb00eb9c32b2c7a7704005b31642977a02\r\ne950a0b3cd1e3d3036bf9fec80fd7ee4956211bb7f98744e9c452b5bd2370507\r\nMalware payloads:\r\nf3bde3186eb77d174654d2fadbad4bb42c7c78733792aebde8ecdb367dc30105\r\nc760293dd5c5ed61fb29ec0fcf42e923753069c53a26654424941914b3c3da21\r\nPastebin:\r\nhXXp://pastebin[.]com/raw/0GSp2GcJ\r\nhXXp://pastebin[.]com/raw/3h2A07vy\r\nhXXp://pastebin[.]com/raw/6h34bKWK\r\nhXXp://pastebin[.]com/raw/7pSjJrKr\r\nhXXp://pastebin[.]com/raw/9v0Useg7\r\nhXXp://pastebin[.]com/raw/bjFTikhU\r\nhXXp://pastebin[.]com/raw/eyGv9x4B\r\nhXXp://pastebin[.]com/raw/m4mqd11x\r\nhXXp://pastebin[.]com/raw/QVFcMmtc\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 7 of 9\n\nhXXp://pastebin[.]com/raw/XiQ5QgfA\r\nhXXp://pastebin[.]com/raw/y0AVKEUe\r\nhXXps://pastebin[.]com/raw/dJ67A0nN\r\nhXXps://pastebin[.]com/raw/i0k3LseW\r\nhXXps://pastebin[.]com/raw/K3NdDnJJ\r\nhXXps://pastebin[.]com/raw/QWQN5LFe\r\nhXXps://pastebin[.]com/raw/u3iEpjsH\r\nhXXps://pastebin[.]com/raw/U9DqxNXE\r\nhXXps://pastebin[.]com/raw/X5Yz87MC\r\nhXXp://pastebin[.]com/raw/6h34bKWK\r\nhXXp://pastebin[.]com/raw/0GSp2GcJ\r\nhXXp://pastebin[.]com/raw/bjFTikhU\r\nhXXp://pastebin[.]com/raw/eyGv9x4B\r\nhXXp://pastebin[.]com/raw/7pSjJrKr\r\nhXXps://pastebin[.]com/raw/nGfpeevw\r\nhXXps://pastebin[.]com/raw/GninhSJe\r\nhXXps://pastebin[.]com/raw/UejdtPMX\r\nhXXps://pastebin[.]com/raw/YweJ2HaS\r\nhXXps://pastebin[.]com/raw/eXkmk43b\r\nhXXps://pastebin[.]com/pyu2mbBr\r\nhXXps://pastebin[.]com/B3NGSKK0\r\nBitly:\r\nhXXps://j[.]mp/fvfkvbfdvifdvndiloawp\r\nhXXps://j[.]mp/oapkcdoapckdadawa\r\nhXXps://j[.]mp/seeinikseenuhcseenuhpssenu\r\nhXXps://j[.]mp/hdjas7dhaskdb\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 8 of 9\n\nhXXps://j[.]mp/hdjas782hjas\r\nNetwork Indicators:\r\nasorock11111[.]ddns[.]net\r\nmannyp01[.]duckdns[.]org\r\nSource: https://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nhttps://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.deepinstinct.com/2020/05/25/aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques/"
	],
	"report_names": [
		"aghast-at-aggah-teasing-security-controls-with-advanced-evasion-techniques"
	],
	"threat_actors": [
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434232,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/512bbcf8e7a6bda696ed3afa7aa87e5cbf2cedd9.pdf",
		"text": "https://archive.orkl.eu/512bbcf8e7a6bda696ed3afa7aa87e5cbf2cedd9.txt",
		"img": "https://archive.orkl.eu/512bbcf8e7a6bda696ed3afa7aa87e5cbf2cedd9.jpg"
	}
}