Daily Summary
Agent Tesla activity shows a significant decline today, with only 10 new samples identified against a 7-day average of 21. This represents a 53% drop in volume. No new command-and-control (C2) infrastructure was registered.
New Samples Detected
The 10 new samples consist exclusively of script-based payloads, with a heavy skew towards JavaScript (.js) files (8 samples). The remaining two are VBScript (.vbs) files. This continues a recent pattern of relying on living-off-the-land scripting languages, though the proportion of .js files is notably higher than recent averages.
Distribution Methods
The dominance of .js and .vbs files strongly suggests ongoing distribution via phishing emails with malicious attachments or links to script files. These file types are often embedded in ZIP archives or delivered via download links in campaigns impersonating invoices, shipping notices, or other business documents to bypass attachment filters.
Detection Rate
Current variants remain well-detected by major antivirus engines due to Agent Tesla’s established signatures. However, the consistent use of obfuscated scripts indicates actors are relying on social engineering for initial execution rather than sophisticated code evasion. The static nature of these samples suggests they are not novel, heavily modified variants.
C2 Infrastructure
No new C2 servers were identified today. This aligns with the low sample volume and may indicate a lull in new infrastructure deployment or a continued reliance on existing, resilient proxy networks or bulletproof hosting services to maintain operational C2 channels.
7-Day Trend
Today’s low sample count interrupts a period of relatively steady activity observed over the past week. The sharp decline may represent a temporary dip between distribution campaigns rather than a sustained decrease in threat actor interest.
Security Analysis
The current 100% script-based delivery marks a tactical simplification, moving away from occasional packed executables. This may indicate a focus on low-cost, high-volume campaigns where ease of modification and low detection by static email filters is prioritized over binary stealth. Defenders should enhance monitoring for child processes spawned from scripting hosts (e.g., wscript.exe, cscript.exe) making unexpected network connections or accessing credential storage, as this is a key behavioral indicator of Agent Tesla post-execution.