A new Aggah campaign has been discovered deploying clipboard hijacking code to replace cryptocurrency addresses. Additionally, this code was found deploying various malicious code files as well. 

What has happened?

According to researchers, the new campaigns are similar to previously identified Aggah campaigns.
  • The group has used free services such as Blogspot, Bitly, and usrfiles[.]com to host malicious resources.
  • In early October, researchers spotted malicious VBScript code in Blogspot URLs. Later, they identified a series of URLs loaded with VBScript and PowerShell commands for clipboard hijacking. 
  • This hijacking method replaces victim cryptocurrency addresses with the attacker's own. Moreover, it installs Trojan backdoor files to communicate with dynamic DNS (DDNS) subdomains.
  • Researchers from RiskIQ observed seven different cryptocurrency addresses (Bitcoin, Ethereum, XMR, XLM, XRP, LTC, and Doge) being used in the attacks.

From a scenario

  • Researchers observed an email with the subject line “FW URGENT Request for information,” communicated to a Bitly link that forwarded victims to the malicious Blogspot URL.
  • It contained the VBScript that can performed registry modifications, set up scheduled tasks for clipboard hijacking of cryptocurrency addresses and dropped trojan and backdoor malware files to a host system.

Mana Tool, Aggah and Hagga

In another finding, experts have also reported Aggah's link with the Mana Tools malware distribution and command and control (C2) panel, which is leveraged by the Hagga group. The Mana Tools panel was hosted on the same IP address of malware delivered in the latest Aggah campaign.


Aggah threat group is now using a clever clipboard hijacking campaign to steal cryptocurrencies. To stay protected from such attack campaigns, organizations should deploy a reliable anti-malware solution and enable two-factor authentication for online accounts.

Cyware Publisher