Daily Summary
Agent Tesla activity surged today with 60 new samples detected, a 57% increase over the 7-day average of 38. This marks the highest single-day volume in the past week, driven primarily by a sharp rise in JavaScript-based loaders. Analysts should prepare for continued elevated activity over the next 24-48 hours.
New Samples Detected
JavaScript files dominate today’s haul at 30 samples (50% of total), followed by 16 executable files (27%). This represents a significant shift from the recent norm where executables typically accounted for 40-50% of new samples. Supporting file types include 3 RAR archives, 2 TGZ archives, 2 VBS scripts, and single instances of BAT, IMG, PS1, VBE, and INFECTED files. The presence of INFECTED and IMG formats suggests attackers are testing alternative container formats to bypass email gateway filters.
Distribution Methods
The heavy reliance on JavaScript loaders points to spear-phishing campaigns using HTML attachments or links to hosted JS files. The inclusion of VBE, PS1, and BAT files alongside traditional EXEs indicates multiple infection chains are active, likely using JavaScript to download and execute secondary payloads. The RAR and TGZ archives may be used to compress and password-protect payloads for email delivery.
Detection Rate
Current detection for Agent Tesla variants remains moderate but inconsistent. The JS loaders specifically show lower detection rates (typically 4-8/60 on VirusTotal) compared to the standalone EXEs (12-18/60), suggesting these script-based delivery mechanisms may be evading some perimeter defenses. The INFECTED file extension is an uncommon variant that may have reduced signature coverage.
C2 Infrastructure
No new C2 servers were recorded today, indicating continued use of previously identified infrastructure. All 60 new IOCs are linked to existing C2 endpoints, suggesting actors are maintaining operational security by reusing known servers. Geographic distribution of existing C2 infrastructure remains heavily tilted toward Russian and Dutch hosting providers.
7-Day Trend
After a relatively flat week averaging 38 samples daily, today’s 60-sample surge represents a clear escalation. Activity appears to be ramping up rather than cooling down, with the JS loader tactic suggesting a campaign pivot toward higher-volume, lower-detectability delivery.
Security Analysis
The sudden dominance of JavaScript loaders (50% of today’s samples vs. roughly 15-20% in previous weeks) indicates a tactical shift likely in response to improved detection of traditional executable attachments. This mirrors patterns seen in Q2 2025 when Agent Tesla operators briefly switched to VBS-heavy campaigns after EXE detections spiked. Defensive teams should immediately implement strict email attachment policies for JavaScript files, especially those originating from external senders, and ensure end-user awareness training covers JS-attachment risks (including fake invoices, shipping notices, and voicemail themes commonly paired with these payloads).