Is Hagga Threat Actor (ab)using FSociety framework ?
Is Hagga Threat Actor (ab)using FSociety framework ?
AI Analysis
Technical Summary
The provided information concerns a potential threat actor named 'Hagga' possibly abusing the FSociety framework. FSociety is a known open-source penetration testing and post-exploitation framework, often used by red teams and threat actors alike for payload delivery and various offensive security operations. The report, sourced from CIRCL and classified under OSINT with medium severity, indicates a 50% certainty about this association, suggesting that the intelligence is not fully confirmed. There are no specific affected versions or products listed, no known exploits in the wild, and no patches available, which implies that this is more an observation of potential threat actor behavior rather than a direct vulnerability or exploit. The technical details are minimal, with threat and analysis levels both rated as '2' on an unspecified scale, and no concrete indicators of compromise or attack vectors provided. The mention of payload delivery suggests that the Hagga actor may be leveraging FSociety's capabilities to deliver malicious payloads, which could include malware, ransomware, or other forms of cyber intrusion tools. However, the lack of detailed technical data limits the ability to fully characterize the threat's mechanisms or sophistication. Overall, this intelligence appears to be an early-stage or speculative observation of threat actor tactics rather than a confirmed active threat or vulnerability.
Potential Impact
For European organizations, the potential impact of Hagga abusing the FSociety framework depends largely on the actor's intent, targeting, and the payloads delivered. If Hagga is indeed using FSociety for payload delivery, this could lead to unauthorized access, data exfiltration, disruption of services, or deployment of ransomware. Given FSociety's capabilities, attacks could compromise confidentiality, integrity, and availability of systems. However, since no specific exploits or campaigns are confirmed, the immediate risk remains moderate. European entities in sectors with high-value data or critical infrastructure could face increased risk if targeted. The uncertainty and lack of concrete indicators make proactive detection challenging, potentially allowing the actor to operate stealthily. The medium severity rating reflects this balance between potential impact and current lack of confirmed exploitation.
Mitigation Recommendations
European organizations should enhance monitoring for unusual activity related to known FSociety framework behaviors, such as suspicious payload delivery patterns or command and control communications. Deploying advanced endpoint detection and response (EDR) solutions capable of identifying post-exploitation frameworks can help detect misuse. Network segmentation and strict access controls will limit lateral movement if initial compromise occurs. Threat hunting teams should incorporate FSociety-related signatures and tactics into their detection rules. Sharing intelligence with trusted cybersecurity communities can improve situational awareness. Since no patches are available, focusing on behavioral detection and incident response readiness is critical. Regularly updating and hardening systems, applying the principle of least privilege, and conducting phishing awareness training can reduce the likelihood of successful payload delivery. Finally, organizations should prepare incident response plans specific to payload delivery and post-exploitation scenarios to minimize impact if an attack occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- ip: 4.204.233.44
- ip: 69.174.99.181
- ip: 103.151.123.121
- hash: 9ea4eebd9cf2a5d4e6343cb559d8c996fae6bf0f3bd7ffada0567053c08acc31
- file: update.js
- hash: ab5b1989ddf6113fcb50d06234dbef65d871e41ce8d76d5fb5cc72055c1b28ba
- file: Dll.ppam
- hash: 20a53f17071f377d50ad9de30fdddd320d54d00b597bf96565a2b41c15649f76
- file: Rump.xls
- hash: 5d910ee5697116faa3f4efe230a9d06f6e3f80a7ad2cf8e122546b10e34a0088
- file: Rump.xls.inverted.charsReplaced.decoded
- x509-fingerprint-sha1: 970f993ad1a289620b5f5033ff5e0b5c4491bb2b
- text: servidor
- text: 136234453590953102797263558291395548452
- boolean: 0
- x509-fingerprint-sha1: b0238c547a905bfa119c4e8baccaeacf36491ff6
- text: localhost
- text: 13098529066745705731
- boolean: 0
- port: 8895
- ip: 103.151.123.121
- url: http://4.204.233.44/Rump/Rump.xls
- text: /Rump/Rump.xls
- domain: 4.204.233.44
- text: 4.204.233.44
- domain: 4.204.233.44
- url: http://4.204.233.44/Dll/Dll.ppam
- text: /Dll/Dll.ppam
- domain: 4.204.233.44
- text: 4.204.233.44
- domain: 4.204.233.44
- link: https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/
- text: Is Hagga Threat Actor (ab)using FSociety framework ? apt cybersecurity malwareNovember 21, 2022 Introduction Today I’d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable.
- text: Blog
Is Hagga Threat Actor (ab)using FSociety framework ?
Description
Is Hagga Threat Actor (ab)using FSociety framework ?
AI-Powered Analysis
Technical Analysis
The provided information concerns a potential threat actor named 'Hagga' possibly abusing the FSociety framework. FSociety is a known open-source penetration testing and post-exploitation framework, often used by red teams and threat actors alike for payload delivery and various offensive security operations. The report, sourced from CIRCL and classified under OSINT with medium severity, indicates a 50% certainty about this association, suggesting that the intelligence is not fully confirmed. There are no specific affected versions or products listed, no known exploits in the wild, and no patches available, which implies that this is more an observation of potential threat actor behavior rather than a direct vulnerability or exploit. The technical details are minimal, with threat and analysis levels both rated as '2' on an unspecified scale, and no concrete indicators of compromise or attack vectors provided. The mention of payload delivery suggests that the Hagga actor may be leveraging FSociety's capabilities to deliver malicious payloads, which could include malware, ransomware, or other forms of cyber intrusion tools. However, the lack of detailed technical data limits the ability to fully characterize the threat's mechanisms or sophistication. Overall, this intelligence appears to be an early-stage or speculative observation of threat actor tactics rather than a confirmed active threat or vulnerability.
Potential Impact
For European organizations, the potential impact of Hagga abusing the FSociety framework depends largely on the actor's intent, targeting, and the payloads delivered. If Hagga is indeed using FSociety for payload delivery, this could lead to unauthorized access, data exfiltration, disruption of services, or deployment of ransomware. Given FSociety's capabilities, attacks could compromise confidentiality, integrity, and availability of systems. However, since no specific exploits or campaigns are confirmed, the immediate risk remains moderate. European entities in sectors with high-value data or critical infrastructure could face increased risk if targeted. The uncertainty and lack of concrete indicators make proactive detection challenging, potentially allowing the actor to operate stealthily. The medium severity rating reflects this balance between potential impact and current lack of confirmed exploitation.
Mitigation Recommendations
European organizations should enhance monitoring for unusual activity related to known FSociety framework behaviors, such as suspicious payload delivery patterns or command and control communications. Deploying advanced endpoint detection and response (EDR) solutions capable of identifying post-exploitation frameworks can help detect misuse. Network segmentation and strict access controls will limit lateral movement if initial compromise occurs. Threat hunting teams should incorporate FSociety-related signatures and tactics into their detection rules. Sharing intelligence with trusted cybersecurity communities can improve situational awareness. Since no patches are available, focusing on behavioral detection and incident response readiness is critical. Regularly updating and hardening systems, applying the principle of least privilege, and conducting phishing awareness training can reduce the likelihood of successful payload delivery. Finally, organizations should prepare incident response plans specific to payload delivery and post-exploitation scenarios to minimize impact if an attack occurs.
Affected Countries
Technical Details
- Threat Level
- 2
- Analysis
- 2
- Uuid
- f07207d5-e6f7-4369-9a9d-a1390b83aaeb
- Original Timestamp
- 1683878227
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip4.204.233.44 | — | |
ip69.174.99.181 | — | |
ip103.151.123.121 | — | |
ip103.151.123.121 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash9ea4eebd9cf2a5d4e6343cb559d8c996fae6bf0f3bd7ffada0567053c08acc31 | — | |
hashab5b1989ddf6113fcb50d06234dbef65d871e41ce8d76d5fb5cc72055c1b28ba | — | |
hash20a53f17071f377d50ad9de30fdddd320d54d00b597bf96565a2b41c15649f76 | — | |
hash5d910ee5697116faa3f4efe230a9d06f6e3f80a7ad2cf8e122546b10e34a0088 | — |
File
| Value | Description | Copy |
|---|---|---|
fileupdate.js | — | |
fileDll.ppam | — | |
fileRump.xls | — | |
fileRump.xls.inverted.charsReplaced.decoded | — |
X509 fingerprint-sha1
| Value | Description | Copy |
|---|---|---|
x509-fingerprint-sha1970f993ad1a289620b5f5033ff5e0b5c4491bb2b | — | |
x509-fingerprint-sha1b0238c547a905bfa119c4e8baccaeacf36491ff6 | — |
Text
| Value | Description | Copy |
|---|---|---|
textservidor | — | |
text136234453590953102797263558291395548452 | — | |
textlocalhost | — | |
text13098529066745705731 | — | |
text/Rump/Rump.xls | — | |
text4.204.233.44 | — | |
text/Dll/Dll.ppam | — | |
text4.204.233.44 | — | |
textIs Hagga Threat Actor (ab)using FSociety framework ?
apt cybersecurity malwareNovember 21, 2022
Introduction
Today I’d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable. | — | |
textBlog | — |
Boolean
| Value | Description | Copy |
|---|---|---|
boolean0 | — | |
boolean0 | — |
Port
| Value | Description | Copy |
|---|---|---|
port8895 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://4.204.233.44/Rump/Rump.xls | — | |
urlhttp://4.204.233.44/Dll/Dll.ppam | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain4.204.233.44 | — | |
domain4.204.233.44 | — | |
domain4.204.233.44 | — | |
domain4.204.233.44 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/ | — |
Threat ID: 682acdbebbaf20d303f0eeb2
Added to database: 5/19/2025, 6:20:46 AM
Last enriched: 7/2/2025, 7:10:35 AM
Last updated: 2/7/2026, 8:35:18 PM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.