Daily Summary
Agent Tesla activity surged dramatically on 2026-04-22, with 65 new samples detected against a 7-day average of 31, marking a 109% increase. This spike is driven overwhelmingly by JavaScript loaders, which constitute over half of today’s volume, indicating a deliberate shift in initial delivery mechanisms. SOC teams should prioritize blocking JS-based execution chains.
New Samples Detected
JavaScript (.js) files dominate with 33 samples (50.7% of total), a significant departure from typical Agent Tesla payloads. Executables (.exe) account for 17 samples, while archive formats (.tar, .tgz, .rar) total 6, likely serving as delivery containers. Notably, 4 .tar files appeared alongside 1 .tgz, suggesting possible automated packaging. Single outliers include .img, .ps1, .vbs, .vbe, and a .infected file - the latter may indicate reused infrastructure from other malware families.
Distribution Methods
The .js heavy distribution suggests phishing campaigns leveraging malicious JavaScript attachments, likely embedded in archive files to bypass email gateway filters. The .img file hints at ISO-based delivery, a technique common in recent Agent Tesla campaigns. The presence of .vbs and .ps1 files indicates living-off-the-land scripting execution, while .exe files may represent direct downloads from compromised sites. The .infected file is unusual and may be an artifact of automated analysis systems.
Detection Rate
With 65 new IOCs generated from today’s samples, detection coverage is likely adequate for static signatures but may struggle with the JS-based variants, which can dynamically load payloads. The .js files often use obfuscation and environment checks to evade sandboxes. SOC analysts should verify that endpoint detection rules cover PowerShell and WMI execution from script contexts.
C2 Infrastructure
No new C2 servers were identified today, suggesting the threat actor is reusing existing infrastructure or employing domain generation algorithms. All 65 new IOCs are sample hashes rather than network indicators, meaning defenders should rely on behavioral detections for C2 traffic until infrastructure is mapped.
7-Day Trend
Today’s volume (65) is roughly double the 7-day average (31), indicating a campaign acceleration. The previous days likely had lower counts, making this surge a potential pivot point rather than a stable increase.
Security Analysis
The dominance of JavaScript over traditional .exe and .vbs files marks a tactical shift in Agent Tesla’s delivery chain, likely aimed at evading static detection rules optimized for macro-based payloads. Defenders should note the .infected file - while rare, it suggests potential cross-contamination from other malware families. Actionable recommendation: Deploy AMSI-based scanning on all JavaScript execution contexts, and implement execution policies that block untrusted .js files from email or web downloads unless explicitly approved.