Daily Summary
Agent Tesla activity shows a notable decline today, with 17 new samples detected compared to a 7-day average of 24. This represents a 28% decrease. No new command-and-control (C2) infrastructure was registered.
New Samples Detected
JavaScript (.js) files continue to dominate the delivery chain, comprising 13 of the 17 samples. This is consistent with the ongoing trend of using script-based initial access. The remaining samples were three .exe files and one .vbe (VBScript Encoded) file, indicating a continued but minor multi-format approach.
Distribution Methods
The heavy reliance on .js files strongly suggests distribution via phishing emails with malicious attachments or links to download these scripts. The .vbe sample indicates attempts to use obfuscated scripts to bypass email filters. The .exe files are likely secondary payloads or packed versions delivered after initial script execution.
Detection Rate
Current variants, particularly the .js scripts, are detected by most major antivirus vendors due to Agent Tesla’s well-known signatures. However, the singular .vbe file and lightly modified .exe packers may exhibit slightly lower initial detection rates, highlighting the threat actor’s continued low-effort attempts at evasion.
C2 Infrastructure
No new C2 servers were identified today. This could indicate a consolidation phase where actors are leveraging existing, operational infrastructure for the current lower volume of campaigns, or a pause in deploying new endpoints.
7-Day Trend
Today’s decline interrupts a relatively steady week of activity near the 24-sample average. This drop may represent a natural lull in campaign cycles or a tactical shift by the operators that is not yet visible in our telemetry.
Security Analysis
The persistent use of .js files, now spanning multiple days, suggests a standardized, automated campaign infrastructure is in place. A non-obvious observation is the absence of macro-laden documents, which were previously a staple for this malware family. This indicates a full adaptation to Microsoft’s default macro blocking. The defensive recommendation is to enhance email security rules to flag or quarantine emails containing double file extensions (e.g., .pdf.js) and to restrict the execution of scripting engines like wscript/cscript from user download directories.