Subgroup of Blind Eagle? Analysis of Recent Attack Activities from Hagga Group

Background

Hagga/Aggah Group

Hagga is a threat organization motivated by information theft, first publicly disclosed by Unit 42 researchers in March 2019 [1]. Initially, researchers believed that these activities targeted internal organizations in the Middle East. Further research indicated that these activities might be part of a larger group, affecting not only the Middle East but also the United States, Europe, and Asia as a whole. Unit 42 referred to this group as Aggah. In the early stages of the attacks, when the Trojan sent data to the C2 server, it used the string “hagga” to separate information. This string was also the name of the PasteBin account hosting the payload information, leading to the name “Aggah” for this activity. Subsequently, foreign security researchers referred to this organization as Hagga/Aggah, and we will use the name Hagga in the following description.

Initially, Unit 42 believed that due to TTP similarities and the use of Revenge RAT, Hagga might be associated with the Gorgon Group, a Pakistani organization known for targeting Western governments. However, no prominent Gorgon Group indicators were observed in that investigation, so Unit 42 could not definitively link Hagga to the Gorgon Group.

Hagga has been active since 2019, with traces dating back to 2018. They typically use the same TTPs in their attack activities. In the early stages, the…