{ "id": "7248a845-7afe-4c2d-8349-3c68056f4f81", "created_at": "2026-04-06T00:15:05.94967Z", "updated_at": "2026-04-10T13:11:53.471032Z", "deleted_at": null, "sha1_hash": "eae41c81336f70a0f210b2ce6f12bc6301fed073", "title": "Aggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 942536, "plain_text": "Aggah Malware Campaign Expands to Zendesk and GitHub to\r\nHost Its Malware\r\nBy Paul Kimayong\r\nPublished: 2021-09-08 · Archived: 2026-04-05 17:08:18 UTC\r\nAggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware\r\nJuniper Threat Labs has detected a new development in the Aggah malware campaign. Previously, Aggah was\r\nknown to be using legitimate infrastructures like BlogSpot, WordPress and Pastebin to host its malware. Recently,\r\nwe discovered an ongoing campaign where Aggah threat actors host their malware using Zendesk attachments and\r\nGitHub. This campaign delivers several types of malware that are focused on stealing sensitive information, such\r\nas usernames and passwords, credit card information stored in browsers and crypto wallets.\r\nWe detected a malicious Microsoft PowerPoint sample,\r\ned70f584de47480ee706e2f6ee65db591e00a114843fa53c1171b69d43336ffe , which was downloaded from\r\nZendesk’s own infrastructure as an attachment:\r\nhttps://p17[.]zdusercontent[.]com/attachment/9061705/eyckz3zuedoivxtp0i629aoxe\r\nThe PowerPoint document contains a malicious macro file that connects to a shortened bitly.com URL which\r\nexpands to https://mujhepyaslagihaimujhepanipilao[.]blogspot[.]com/p/mark2html  in order  download and\r\nexecute a malicious Script via mshta.exe.\r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 1 of 6\n\nFig.1. The VB script in .ppt executes another script from bitly.com using mshta.\r\nFig.2. Bitly url expands to https://mujhepyaslagihaimujhepanipilao[.]blogspot[.]com/p/mark2html\r\nThe script, mark2.html , hosted on mujhepyaslagihaimujhepanipilao[.]blogspot[.]com , performs a series of\r\noperations, such as creating a Run entry in the registry to execute a PowerShell script, download and execute\r\nanother script using scheduled task and use WMI in the registry Run key to download and execute another script. \r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 2 of 6\n\nFig.3. Series of operations done by mark2.html\r\nThe code shown in Figure 3 downloads from the following links and executes them.\r\nhttps://ia801405us[.]archive[.]org/11/items/pg_20210716/blessed.txt\r\nhttps://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html\r\nhttps://backbones1234511a[.]blogspot[.]com/p/elevatednew1backup.html\r\nhttps://startthepartyup[.]blogspot.com/p/backbone15.html\r\nhttps://ghostbackbone123[.]blogspot.com/p/ghostbackup14.html\r\nBlessed.txt\r\nThe PowerShell script is hosted on archive.org as blessed.txt . The PowerShell loads a stealer malware, known\r\nas Oski. The Oski malware is included in the PowerShell script as a hex-encoded string. It uses a technique known\r\nas Signed Binary execution via RegSvcs.exe and .NET Assembly.Load to load this binary as an added layer of\r\nprotection since it’s not saved to the disk and only stays in memory. \r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 3 of 6\n\nFig. 4 Blessed.txt is a PowerShell script that contains a Windows executable which it loads via\r\nRegSvcs.exe\r\nOski was first seen in 2019. Today, it’s sold in Russian hacking forums for $70-$100. Oski malware’s capabilities\r\ninclude:\r\nStealing cryptocurrency wallets\r\nStealing sensitive information stored in browsers such as credit card data, autofill data and cookies\r\nStealing credentials from various applications such as FTP, VPN and web browsers\r\nCapturing screenshots\r\nCollecting system information\r\nDownloading and installing additional malware\r\nFig . 5 Oski code that steals crypto and browser data\r\nOski connects to the following C2 server: 103.153.76.164\r\nAfter it collects and exfiltrates the data, it will delete traces of itself in the system. \r\nElevatednew1.html\r\nOne other routine that we have listed above in Fig. 3 includes creating a scheduled task to download and execute\r\nanother malicious script hosted on https://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html . This\r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 4 of 6\n\nmalicious script loads another PowerShell script named blessed.txt . This time, the script is hosted in GitHub as\r\nfollows:\r\nhttps://raw[.]githubusercontent[.]com/manasshole/newone/main/blessed.txt\r\nFig. 6 Script code inside elevatednew1.html executes a PowerShell hosted in GitHub.com\r\nThe malware that it tries to install is Agent Tesla, a .NET keylogger and RAT that logs keystrokes and the host’s\r\nclipboard content.\r\nThe other malicious scripts backbone15.html and ghostbackup14.html are no longer available for download,\r\nwhile elevatednew1backup.html is the same as elevatednew1.html\r\nBefore publication of this blog, we have contacted Zendesk and Github and they quickly responded to disable the\r\nhosted malware.\r\nConclusion\r\nThe threat actors’ primary goal is to steal sensitive information such as usernames and passwords, credit cards and\r\ncrypto wallets. On the surface, this may seem to have a low impact in comparison with ransomware operations\r\ntargeting enterprises. However, the Aggah threat actors’ method of using legitimate infrastructure is worrisome. As\r\na defender, one way to disrupt malicious activity is to detect their infrastructure. This is usually effective as it’s not\r\nthat easy to change infrastructures. \r\nAs we have observed and noted, threat actors using GitHub, Archive.org, Zendesk, GitHub, Pastebin and Google\r\nDrive are not going away anytime soon and we expect their malicious efforts to continue. For instance, Juniper\r\nThreat Labs has also seen a growing usage of Zendesk to host malware, which may warrant its own blog in the\r\nfuture. \r\nIn this particular case, Juniper Networks’ Advanced Threat Prevention (ATP) solution detects the Aggah malware\r\nfile as follows:\r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 5 of 6\n\nIOC\r\ned70f584de47480ee706e2f6ee65db591e00a114843fa53c1171b69d43336ffe\r\n103[.]153[.]76[.]164\r\nhttps://raw[.]githubusercontent[.]com/manasshole/newone/main/blessed.txt\r\nhttps://p17[.]zdusercontent[.]com/attachment/9061705/eyckz3zuedoivxtp0i629aoxe\r\nhttps://ia801405us[.]archive[.]org/11/items/pg_20210716/blessed.txt\r\nhttps://randikhanaekminar[.]blogspot[.]com/p/elevatednew1.html\r\nhttps://backbones1234511a[.]blogspot[.]com/p/elevatednew1backup.html\r\nhttps://startthepartyup[.]blogspot.com/p/backbone15.html\r\nhttps://ghostbackbone123[.]blogspot.com/p/ghostbackup14.html\r\nSource: https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nhttps://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware" ], "report_names": [ "aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware" ], "threat_actors": [ { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434505, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eae41c81336f70a0f210b2ce6f12bc6301fed073.pdf", "text": "https://archive.orkl.eu/eae41c81336f70a0f210b2ce6f12bc6301fed073.txt", "img": "https://archive.orkl.eu/eae41c81336f70a0f210b2ce6f12bc6301fed073.jpg" } }