Daily Summary
Agent Tesla sample collection reached 76 today, a 25% increase over the 7-day average of 61. This marks the third consecutive day of above-average activity, driven largely by a surge in JavaScript-based loaders and PowerShell scripts.
New Samples Detected
Today’s 76 samples show a distinct shift in packaging: JavaScript files (.js) lead with 25 samples, followed equally by PowerShell scripts (.ps1) and executable files (.exe) at 19 each. Notably, the presence of .tgz archives (2) suggests possible targeting of Linux-based systems or cross-platform propagation, a departure from the typical Windows-centric delivery. The single .infect file may indicate a corrupted or deliberately mislabeled sample, while .img and .vbe files (1 each) round out the payload spectrum.
Distribution Methods
The dominant file types point to a multi-stage delivery chain. JavaScript files (.js) and PowerShell scripts (.ps1) are likely used as initial downloaders or obfuscation layers, often arriving via phishing emails with malicious attachments or links. The presence of .bat and .rar files suggests that some campaigns are still using traditional archive-based distribution, while .tgz archives hint at newer delivery vectors, possibly through compromised file-sharing platforms.
Detection Rate
Preliminary analysis indicates that standard signature-based detection covers approximately 60-70% of today’s samples. However, the JavaScript and PowerShell-based loaders show increased use of string obfuscation and reflection calls, which may lower detection rates for lower-tier AV engines. Organizations relying solely on static analysis may miss these variants.
C2 Infrastructure
No new C2 servers were identified today. This suggests that current campaigns are reusing existing infrastructure, and any new server deployments may be delayed or operating under different protocols. The absence of new C2 activity could also indicate a shift toward more transient or peer-to-peer communication methods.
7-Day Trend
Activity has been steadily rising since mid-week, with today’s count exceeding the 7-day average by 25%. If this pace continues, tomorrow’s sample count could reach or surpass 80, reflecting ongoing campaign intensification.
Security Analysis
A notable behavioral change is the increased use of .tgz archives, which are rare for Agent Tesla. This could indicate a cross-platform targeting strategy or a testbed for Linux-compatible payloads — a significant tactical shift for a traditionally Windows-only family. Defensive recommendation: Enable behavioral analysis and execution monitoring for script hosts (wscript.exe, cscript.exe, and powershell.exe) on endpoints, and ensure email gateways scan for and block .tgz attachments in untrusted messages.