New Aggah campaign uses clipboard hijacking to steal Crypto assets

Aggah Campaign Clipboard Hijacking Stealing Crypto Assets Digital Risk Protection Anti Malware Bitcoin

Security experts have recently identified a new campaign called ‘Aggah’ that has been observed distributing clipboard hijacking code for their cryptocurrency heist. The code replaces the cryptocurrency address by the malicious threat actors. Moreover, the code used by Aggah can also deploy maliciously coded files. The researchers stated that the new campaigns observed lately are very identical to the recently identified Aggah espionage.

The Aggah group has utilised free available services such as Bitly, ‘usrfile[.]com,’ and Blogspot to hold malicious resources. In the first week of October of 2021, the researchers have identified compromised VBScript code inside the Blogspot URLs. Then, they discovered a plethora of URLs loaded with PowerShell and VBScript commands for the clipboard hijacking method.


This clever clipboard hijacking method substitutes the potential victim’s cryptocurrency addresses with the malicious threat actor’s address.


A researcher from a separate cybersecurity firm has seen seven different cryptocurrency addresses being abused in the attacks. The addresses used for crypto stealing include Bitcoin, Ethereum, XLM, Dogecoin, LTC, XLM, and XMR. They also found a scenario that helped them identify this current issue.
The researchers observed an email with the subject labelled as “FW URGENT Request for information,” sent to Bitly link deployed for victims to the compromised Blogspot link.

The Blogspot link consisted of VBScript that can perform registry modification, deploy trojan, drop backdoor malware files to a host system and set up scheduled tasks for clipboard hijacking of cryptocurrency addresses.

Aggah can be attributed to Hagga, which is also linked to Mana Tools.

In a separate finding, researchers and analysts have also reported the Aggah campaign’s involvement in the Mana tools malware distribution and C2 (command and control) panel, which the Hagga group also abuses. Researchers also confirmed this finding since the Mana Tools panel was hosted on the identical IP address of malware delivered in the recent Aggah threat campaign. Aggah’s clipboard hijacking campaign is clever but stoppable.

In conclusion, the malicious threat group called Aggah is now using an innovative clipboard hijacking campaign to capture cryptocurrencies. To stay safe, people should employ a trustworthy anti-malware solution and activate a two-factor authentication system for multiple online accounts.

About the author

Leave a Reply