{ "id": "d2cca2bf-8014-48f0-abe4-9f305859b5fd", "created_at": "2026-04-06T00:19:08.678998Z", "updated_at": "2026-04-10T03:33:12.452367Z", "deleted_at": null, "sha1_hash": "b3f9de2f2fa396cf85533debb90a162a1417d4a0", "title": "An Analysis of Infrastructure linked to the Hagga Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1918875, "plain_text": "An Analysis of Infrastructure linked to the Hagga Threat Actor\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-02 10:34:14 UTC\r\nSummary\r\nAs this research reveals, mapping out adversary infrastructure has distinct advantages that enable a proactive\r\nresponse to future threats. A well resourced team with access to the right tools can monitor changes to adversary\r\ninfrastructure in real time, discoveries can become strategic advantages when fully exploited. This blog is geared\r\ntowards the practitioner threat hunters and threat researchers, anyone reading this with the bottomline in mind\r\nshould take a look at our economic study here first.\r\nIntroduction\r\nWe began tracking the threat actor Hagga in late 2021 following the release of an analysis by Z-Lab (Yoroi\r\nSecurity’s malware research team). Z-Lab were tracking a worldwide campaign to distribute the Agent Tesla\r\ninformation stealer through an elusive multi-stage infection process. In their analysis, they shared the IOCs for\r\nthis campaign, including a single hardcoded IP address (69.174.99.181) and a common URL directory pattern for\r\nthe identified C2 panels.\r\nThis blog will describe how we were able to pivot in threat telemetry, using these IOCs as seeds, to identify\r\nseveral other C2s used by this threat actor, ultimately leading us to a backend MySQL server.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 1 of 11\n\nFIGURE 1: C2 PANEL IOCS\r\nKey Observations\r\nHagga infrastructure is hosted on dedicated leased infrastructure, largely on QuadraNet and Vietnam Posts\r\nand Telecommunications (VNPT).\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 2 of 11\n\nAn HTTPS certificate serves as a key indicator of Hagga C2 panels.\r\n69.174.99.181 (QuadraNet, US)\r\nPassive DNS data for 69.174.99.181 identified it hosting the domain (update.)newbotv4[.]monster from 01\r\nNovember 2021 onwards. During the period 17 September – 17 December 2021, no further domains were hosted\r\non this IP, indicating it was likely dedicated infrastructure (and not a compromised / shared host).\r\nReviewing certificate data for this IP address identified an expired self-signed SSL certificate with a CN value of\r\nlocalhost.\r\nSHA1: B0:23:8C:54:7A:90:5B:FA:11:9C:4E:8B:AC:CA:EA:CF:36:49:1F:F6\r\nWhilst examining threat telemetry for 69.174.99.181, it was noted that 97% of the observed data related to\r\ncommunications with a single Hostinger IP address on TCP/3306 (the default port for MySQL servers). This\r\nactivity occurred between 14 October – 17 December; occurring during the same time window as the Agent Tesla\r\ncampaign identified by Z-Lab.\r\nHostinger IP Address\r\nNote: The Hostinger IP address is redacted throughout this report. As backend infrastructure, its identification\r\nwould not provide any value to network defenders, and as explained below is likely also utilized for unconnected\r\nshared hosting purposes.\r\nPassive DNS data identified this IP as a web hosting control panel server. This is supported by open ports data\r\nidentifying 16 TCP ports that are associated with Hostinger cPanel services. Namely, ports 21, 25, 80, 110, 143,\r\n443, 465, 587, 993, 995, 2080, 2083, 2086, 2087, and 3306.\r\nThreat telemetry data for the Hostinger IP address identified inbound connections to TCP/3306 from numerous\r\nother IP addresses dating back to at least 17 September 2021. It was assessed that the IP was shared amongst other\r\nHostinger clients, who were likely unconnected to malicious activities.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 3 of 11\n\nFIGURE 2: HOSTINGER MYSQL CLIENTS\r\nHostinger MySQL Clients\r\nConsidering the likelihood that the Hostinger IP was used in shared hosting, we needed to include additional\r\nconstraints to limit our scope to data of relevance to the initial (and potentially other) C2s.\r\nWe identified several HTTP requests to the original C2 IP address, with several ‘webpanel’ paths using a common\r\nnaming convention. These paths aligned with the Z-LAB C2 indicators.\r\nTABLE 1: 69.174.99.181 URL REQUESTS\r\nIn addition, we also identified requests to one of the other Hostinger MySQL clients that matched one of the\r\n‘webpanel-‘ patterns:\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 4 of 11\n\nTABLE 2: 155.94.209.50 URL REQUESTS\r\nInterestingly, one of the 155.94.209.50 URL requests was for a ‘login.php’ page. When navigating to that URL we\r\nwere taken to a login page containing a “Mana Tools” logo.\r\nFIGURE 3: MANA TOOLS C2 PANEL\r\nWhilst we did not have evidence of a URL request to 69.174.99.181 for a ‘login.php’ page, when navigating to the\r\nURL http[:]//69.174.99.181/webpanel-reza/login[.]php we were taken to an identical page.\r\nFirst reported in 2019 by Yoroi researchers, Mana Tools is a malware distribution and C2 panel that was created\r\nby the threat actor Hagga. It has been associated with several well-known malware variants, including\r\nRevengeRAT, AzoRult, Lokibot, Formbook, and Agent Tesla.\r\nIn addition to 155.94.209.50, we identified a further three MySQL clients hosting the same expired self-signed\r\nSSL certificate as 69.174.99.181.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 5 of 11\n\nAccording to reverse DNS and WHOIS information, all the identified IPs (based on URL and certificate data) are\r\nhosted on QuadraNet infrastructure.\r\nFIGURE 4: HOSTINGER MYSQL CLIENT RELATION\r\nExamining open ports data for each of the above IPs, it appears that they are run on MS-Windows based operating\r\nsystems. In addition to having standard Windows ports open, TCP/445, TCP/3389, and TCP/445, they also\r\nreturned WIN-NetBIOS Computer Names in the RDP response.\r\nWe also found commonalities amongst several of the Hostinger MySQL client IPs in Passive DNS data.\r\nDomain bot.statusupdate[.]one (resolving to 161.129.64.49) was also observed in URL request data in connection\r\nwith the Mana Tools C2 panel. 64.188.20.198 replaced the original C2 (69.174.99.181) as the hosting IP for\r\ndomain update.newbotv2[.]monster.\r\nBased on threat telemetry for communications with the Hostinger IP and timestamps for the Passive DNS\r\nresolutions, it appears that the threat actor “rebranded” the C2 domain from bot.statusupdate[.]one to\r\nnewbotv4[.]monster around 13 October 2021.\r\nThe X.509 Certificate\r\nIt was identified that the certificate (Figure 3) with the serial B5C752C98781B503 was a default certificate\r\nincluded with OpenSSL as part of an XAMPP installation. XAMPP is a free, open-source distribution that\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 6 of 11\n\npackages OpenSSL, MariaDB, PHP, and Perl with an Apache web server. Its primary use is for developers,\r\nallowing them to deploy a web server on a local server to test web applications without the need for an internet\r\nconnection.\r\nGiven that this certificate was installed on several systems hosting Mana Tools, it appeared that this threat actor\r\nwas using XAMPP as the web server to host the Mana Tools C2 panel on Windows virtual servers.\r\nBack to the Hostinger IP\r\nHaving identified the Hostinger IP as a common destination for MySQL traffic from several Hagga C2s, we\r\nneeded to find more evidence to connect Hagga to the cPanel server. As stated earlier, given the possibility that the\r\ncPanel IP is shared amongst multiple Hostinger customers, this was difficult to achieve based on threat telemetry\r\nalone. To aid this process, we used insight derived from MalBeacon, in addition to further Passive DNS data.\r\nNote: MalBeacon is a revolutionary system that can attribute malware campaigns to the threat actor themselves\r\nthrough proprietary pixel tracking technology. If you haven’t heard of it before, I urge you to check it out.\r\nMalBeacon data identified several actor IPs in the vicinity of Lahore, Pakistan, associated with the C2s\r\n69.174.99.181 and 64.188.20.198.\r\nTABLE 3: MALBEACON DATA\r\nWhilst examining threat telemetry data for the Hostinger IP, we found cPanel management traffic to TCP/2083\r\nfrom the actor IP 42.201.155.21 on 26 November 2021 and from 42.201.155.40 between 02 December 2021 and\r\n03 December 2021. This activity aligned with the dates the IPs were associated with the Hagga C2s.\r\nWe also identified resolutions in passive DNS data that connect the newbotv4.monster and statusupdate.one\r\ndomains to Hostinger.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 7 of 11\n\nTABLE 4: HOSTINGER PDNS RESULTS\r\nWhilst the response IP differed from the Hostinger IP address seen in the outbound TCP/3306 connections, it\r\naligned with the processes of leasing a cPanel VPS with Hostinger.\r\nWhen a user purchases their cPanel account through Hostinger, they are asked to add the domain that they are\r\nseeking to host on the account to start the service. Once that domain is added, Hostinger assigns several default\r\nhostnames to the domain that resolve to a second IP address, which differs from the cPanel management IP first\r\nprovided. These default hostnames are what are detailed in Table 4.\r\nThe cPanel management IP can continue to be used for access to the web server control panel, or as an endpoint\r\nfor a MySQL database.\r\nContinued Observation of Hostinger IP\r\nBy continuously monitoring threat telemetry for the Hostinger IP and examining X.509 certificates and URL\r\nrequests for new MySQL clients, we were able to identify additional related C2 infrastructure within hours or days\r\nof them being stood up.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 8 of 11\n\n103.151.122.110 (VNPT-AS-VN, VN)\r\n72.11.157.208 (QuadraNet, US)\r\n192.154.226.47 (Reprise Hosting, US)\r\n64.188.21.227 (QuadraNet, US)\r\n72.11.143.125 (QuadraNet, US)\r\n72.11.143.47 (QuadraNet, US)\r\n207.32.217.137 (1G Servers, US)\r\n194.31.98.108 (PREFIXBROKER, NL)\r\n103.133.105.61 (VNPT-AS-VN, VN)\r\n78.138.105.142 VELIANET-FR-PINETLLC, FR)\r\n103.153.77.98 (VNPT-AS-VN, VN)\r\nAdditionally, we were able to identify an upgrade to the Mana Tools C2 panel.\r\nFIGURE 5: NEW MANA TOOLS C2 PANEL\r\nWe revisited MalBeacon to examine beacon data for the newly discovered C2 domains and IP addresses to\r\nenumerate associated activity. We subsequently identified several ‘new’ adversary IPs in the vicinity of Lahore,\r\nPakistan. These IPs were observed in communications with the Hostinger IP during the same timeframe they were\r\nassociated with the Hagga C2 panels.\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 9 of 11\n\nFIGURE 6: HAGGA ACTIVITY\r\nConclusion\r\nFrom the starting point of an IP address (69.174.99.181) associated with an Agent Tesla command and control\r\nserver, it was possible to pivot and identify a backend server hosting a MySQL database operated by the threat\r\nactor Hagga. From this point a further pivot led us to the identification of additional C2s hosting the Mana Tools\r\nC2 panel along with a common certificate that can be used to increase confidence in attributing future\r\ninfrastructure to this threat actor.\r\nIndicators of Compromise\r\nIP Addresses\r\n103.151.122.110\r\n72.11.157.208\r\n192.154.226.47\r\n64.188.21.227\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 10 of 11\n\n72.11.143.125\r\n72.11.143.47\r\n207.32.217.137\r\n194.31.98.108\r\n103.133.105.61\r\n78.138.105.142\r\n103.153.77.98\r\n69.174.99.181\r\n161.129.64.49\r\n155.94.209.50\r\n64.188.27.104\r\n64.188.20.198\r\nDomains\r\nmobibagugu.duckdns.org\r\nmobibanewdan.duckdns.org\r\nmohbeebnew.duckdns.org\r\nmubbibun.duckdns.org\r\ncdec22.duckdns.org\r\nvncgoga.duckdns.org\r\nbakuzamokala.duckdns.org\r\nwarnonmobina.duckdns.org\r\nabotherrdpajq.duckdns.org\r\nmobinomomuam.duckdns.org\r\nworkflowstatus.live\r\nheavy-dutyindustry.shop\r\nmicrosoftiswear.duckdns.org\r\nupdate.newbotv4.monster\r\nnewbotv4.monster\r\nbot.statusupdate.one\r\nSource: https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nhttps://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor" ], "report_names": [ "an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor" ], "threat_actors": [ { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434748, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3f9de2f2fa396cf85533debb90a162a1417d4a0.pdf", "text": "https://archive.orkl.eu/b3f9de2f2fa396cf85533debb90a162a1417d4a0.txt", "img": "https://archive.orkl.eu/b3f9de2f2fa396cf85533debb90a162a1417d4a0.jpg" } }