After identifying a spike in malicious Visual Basic scripts (VBScript) posted on paste sites, Recorded Future created an automated process using our API to automatically collect the command and control (C2) servers from each malicious VBScript. While reviewing the results, we identified a threat actor from Germany that goes by “Vicswors Baghdad.” This individual appears to be at least partially responsible for the identified malicious VBScripts posted to paste sites, and is actively editing an open source ransomware variant called “MoWare H.F.D”.