Home Artifacts Profile of the menacing actor known as “Hagga” and his work

Profile of the menacing actor known as “Hagga” and his work


Agent Tesla, an infamous data stealer, has been plaguing internet users since 2014. Much has been revealed about the malware, but the world has only learned of one of its most skilled campaigners, Hagga, that last year.

What the world knows about Hagga So Fa

Hagga allegedly used Agent Tesla, the sixth most prevalent malware in 2021, to steal sensitive information from its victims since the end of 2021. The latest research has published several Indicators of Compromise (IoCs) related to its infrastructure, including four domains and 18 IP addresses.

We used these data points to learn more about Hagga and its criminal infrastructure. Our in-depth analysis of WHOIS, Domain Name System (DNS), and other network records discovered:

  • An additional IP address that could be part of Hagga’s malicious network
  • Malicious domains hosted by Four Duck DNS that could be connected to the threat
  • 100 subdomains containing string “cdec22” similar to possibly connected subdomain artifacts discovered
  • Over 300 domains containing the strings “statusupdate” and “heavy-dutyindustry” similar to domains identified as IoC threats

A sample of additional artifacts obtained from our analysis is available for download on our website.

What could Hagga be doing now?

Using published IoCs as a starting point, we scoured the DNS for other artifacts that organizations should look out for.

WHOIS history searches for the four domains identified as threatening IoCs showed that three of them were created in the latter part of 2021, while one is a newly registered domain (NRD). Registrations for all four domains list Iceland as the country of registration. Hagga also seemed to favor Namecheap as a registrar.

DNS lookups for all four domain IoCs yielded an additional IP address—37[.]252[.]1[.]63, which is currently not part of the publicly available data sources. Although not currently labeled “malicious”, his connection to one of the IoCs makes him suspicious and therefore at least worth keeping an eye on.

Unlike the single reporting country identified for the four domain IoCs, the 18 IP addresses were spread across five different countries, none of which was geolocated to Iceland.

In fact, nearly half of the 18 IP addresses pointed to locations in the United States, followed by Vietnam (28%), the Netherlands and Pakistan (11% each), and France (6%).

Reverse IP lookups for IoCs of IP addresses uncovered four other domains hosted by Duck DNS, all of which were labeled “malware hosts” by Threat Intelligence Platform (TIP) malware checks. These are:

  • cdec22[.]duckdns[.]org
  • abotherrdpajq[.]duckdns[.]org
  • mobibagugu[.]duckdns[.]org
  • warnonmobina[.]duckdns[.]org

To further expand our list of possible artifacts and IoCs, we searched for other subdomains (hosted on platforms similar to Duck DNS) and domains containing similar strings (i.e. “cdec22”, “abotherrdpajq”, “mobibagugu” and “warnonmobina” and “workflowstatus”, “statusupdate”, “newbotv4” and “heavy-dutyindustry”). Domains & Subdomains Discovery provided a list of 100 subdomains with the text string “cdec22”. While none of them are considered malicious as of yet, their similarities to the identified artifacts should make them worth watching.

The tool also found 305 domains with the strings “statusupdate” and “heavy-dutyindustry”, including three -heavy-dutyindustry[.]co, jp-statusupdate[.]com, and statusupdate-loanapproval[.]com – have been dubbed “malware hosts”, apart from the IoC heavy industry[.]shop to date.

Given the threat posed by Agent Tesla – the theft of sensitive information and the resulting repercussions (e.g., reputational, compliance and financial damage to hacked companies) – organizations would do well to block access to IoCs and connected artifacts. , especially the three domains deemed malicious, and at the very least monitor suspicious web properties.

If you would like to carry out a similar investigation or have access to the full data behind this research, please do not hesitate to contact us.