Daily Summary
Agent Tesla activity surged on 2026-04-24 with 65 new samples, a 44% increase over the 7-day average of 45. This marks a notable escalation and continues an upward trend observed over the past several days.
New Samples Detected
JavaScript files (.js) dominate today’s haul with 32 samples, representing nearly half of all new detections. Traditional .exe files follow at 18, while batch scripts (.bat), RAR archives (.rar), and PowerShell scripts (.ps1) appear in smaller numbers. The presence of .img, .vbe, and .infected file types suggests attackers are experimenting with diverse staging methods, possibly to evade signature-based detection.
Distribution Methods
The heavy reliance on .js files indicates that spear-phishing emails remain the primary delivery mechanism. Attackers likely embed JavaScript as attachments or downloader scripts that fetch the final payload. The inclusion of .rar and .img files points to archive-based distribution, while .ps1 and .vbs files suggest some campaigns use living-off-the-land techniques to bypass application controls.
Detection Rate
Detection rates for the .js-based variants appear inconsistent based on sample submissions. Many JavaScript stages are likely polymorphic or heavily obfuscated, which can evade static analysis. The .exe variants show signs of common packers that may require behavioral detection rules to catch reliably.
C2 Infrastructure
No new C2 servers were observed today. The 65 new IOCs are primarily sample hashes and file indicators, suggesting C2 infrastructure remains stable. Attackers may be reusing established channels, which presents a risk if those servers are not yet blocked on perimeter devices.
7-Day Trend
Today’s sample count is the highest in the last seven days, with the 7-day average now trending upward from 38 to 45. Activity appears to be ramping up, likely driven by a coordinated phishing campaign or a new loader distribution wave.
Security Analysis
The shift toward JavaScript as the dominant file type is unusual for Agent Tesla and mirrors TTPs seen in other info-stealer families. This suggests either a new delivery chain or a partnership with a JS-based malware-as-a-service operator. Defensively, SOC teams should enforce strict email attachment policies that block .js, .vbs, and .ps1 files unless explicitly whitelisted, and ensure network monitoring includes HTTP/HTTPS traffic patterns for remote script fetching commonly used in these stages.