Couple of months #Aggah / #Hagga threat actor was low-key.
While it is back now, a string in last stage script might explain the absence, ( maybe a heartbreak ?)
Leads to Xworm !
https://bazaar.abuse.ch/sample/836cd1dbb96268f267f46c20dec7ea50909184f8d163f418b95a3eee1271dcb4/
Upgraded Aggah malspam campaign delivers multiple RATs - By Asheer Malhotra
Cisco Talos has observed an upgraded version of a malspam campaign known to dist... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/PxuwlY0T_8I/upgraded-aggah-malspam-campaign.html #threatresearch #agenttesla #powershell #vbamacros #nanocore #vbscript #malware #maldoc #aggah #njrat #talos #rat
Ankit Anubhav 
ITSEC News