Level 33
A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions.

Palo Alto Networks' Unit 42 discovered that the threat actors behind the campaign dubbed "Aggah" employed the C2 infrastructure built using only legitimate services to drop RevengeRAT (also known as Revetrat) payloads on organizations from "Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business.

RevengeRAT is a publicly available Remote Access Trojan released during 2016 on the Dev Point hacking forum and it is known to be capable of opening remote shells, allow the attacker to manage system files, processes, and services, edit the Windows Registry, track the victim's IP address, edit the hosts file, log keystrokes, dump users passwords, and access the webcam, among many others.

"Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection," found Unit 42's researchers.