Hackers recycle the same malware and mirror attack techniques

The threat intelligence team at the Positive Technologies Expert Security Center (PT ESC) has traced a forensic breadcrumb trail connecting Aggah, Blind Eagle and TA558. The link surfaced while the team dissected Crypters And Tools, an illicit malware‑packing service that all three actors appear to favor for obfuscating payloads. PT ESC also confirms that Aggah is still alive and launching campaigns, even though researchers have not written about the group's activity since at least 2022.

Earlier research showed that Crypters And Tools runs as a subscription-based Crypter‑as‑a‑Service, letting attackers wrap their malware in fresh encryption layers on demand. Follow‑up forensics confirmed that at least six known cybercrime groups, including Aggah, Blind Eagle and TA558, have rented the platform for high‑volume phishing campaigns. By studying attacks that used Crypters And Tools, experts were able to identify specific users of the crypter associated with the TA558 and Blind Eagle groups.

PT ESC spotted a familiar signature cutting across Aggah and TA558 campaigns from 2018 through 2024, from identical target maps and overlapping malware kits to malicious docs that share metadata quirks and macro stubs. Both cybercrime groups even stamped their lure templates with the cryptic tag 'C.D.T.' Blind Eagle's playbook lines up too, hitting the same Latin American countries and leaning on the Crypters And Tools backend along with the usual malware kit (Remcos, AsyncRAT, NjRAT and LimeRAT).

"Some researchers have mistaken Crypters And Tools fingerprints for group‑exclusive TTPs," says Alexander Badaev, threat intelligence specialist at PT ESC. "But the crypter is an open, pay‑to‑play service, not anyone's house tool. That mix‑up skewed the industry's map of who is linked to whom. Qi An Xin, for example, floated the idea that Aggah could be a subgroup of Blind Eagle because the artefacts looked alike and campaigns overlapped. We are not dismissing that theory, yet the cleaner explanation is shared infrastructure backed by a common crypter. When you drill into the code, each threat group still leaves a distinct calling card."

All three cybercrime groups are still in the game. Aggah has kept a low public profile since 2022 yet continues to run live campaigns. TA558 and Blind Eagle remain steady users of Crypters And Tools, while Aggah appears to have switched loaders or is simply operating outside current PT ESC visibility.

Positive Technologies warns that turnkey malware services like Crypters And Tools are spreading fast across the criminal ecosystem. Defenders need advanced network traffic analysis tools, resilient endpoint security, and relentless user education to spot and stop the social‑engineering hooks that open the door.