Daily Summary
Agent Tesla activity registered 71 samples on 2026-04-27, a 3% increase over the 7-day average of 69, indicating a stable trend. No dramatic spikes or drops were observed, with volume closely tracking the week’s baseline. This sustained output suggests ongoing, campaign-driven distribution rather than a temporary surge.
New Samples Detected
Today’s 71 samples show a distinct shift toward script-based payloads: JavaScript (.js) leads with 22 samples (31%), followed by PowerShell (.ps1) with 19 (27%), and executables (.exe) with 18 (25%). The remaining 12 samples comprise .bat, .rar, .tgz, .vbs, .img, and .vbe files. This is notable because script-based delivery (.js + .ps1) now accounts for 58% of the total, up from a typical 40-45% mix over the past week, suggesting actors are favoring lighter, more evasive initial loaders over compiled executables.
Distribution Methods
File types point to phishing-driven delivery chains. The high number of .js and .ps1 scripts indicates multi-stage infections: users likely receive a .rar or .tgz archive via email, which extracts a JavaScript or VBScript downloader. This script then pulls or executes a PowerShell payload to deploy Agent Tesla. The presence of .img and .vbe files suggests ISO mounting or obfuscated script variants are being tested, aligning with recent campaign trends to bypass email gateway filters.
Detection Rate
Based on today’s new IOCs (71 hashes), static detection rates for the .js and .ps1 variants are inconsistent. Many script-based samples show low initial detection on major AV engines, as they often use obfuscated or uniquely named loader stages. The .exe and .bat samples, in contrast, are better flagged due to known Agent Tesla binary signatures. New script-based variants may be evading signature-based engines, requiring behavioral monitoring.
C2 Infrastructure
No new C2 servers were observed today. Existing infrastructure appears to be reused, with no shift in geographic hosting patterns. This suggests the operator is not rotating command servers aggressively, relying instead on sustained IOC updates (71 new hashes) to maintain access.
7-Day Trend
The stable trend (3% above average) confirms Agent Tesla is maintaining consistent output without escalation or decay. Activity over the past week has ranged from 64 to 72 samples per day, with today’s count at the upper end of that band, indicating a steady-state operation.
Security Analysis
The most notable observation is the deliberate pivot to script-first delivery: 58% of today’s samples are scripts, a significant deviation from Agent Tesla’s traditional .exe-heavy campaigns. This tactic lowers the barrier for initial execution, as scripts can bypass stricter executable policies and are easier to obfuscate with simple encoding. Compared to prior campaigns (e.g., observed VBS-based loaders in Q1 2026), this shift toward JavaScript and PowerShell suggests actors are responding to improved endpoint detection for PE files. Actionable recommendation: Enable execution policy restrictions for PowerShell and JavaScript from untrusted sources, and monitor for script files launched from archive attachments, particularly .rar and .tgz. Deploy script-blocking rules in email gateways for attachment names containing “invoice,” “order,” or “payment.”