Daily Summary
Agent Tesla activity remains stable with 70 new samples collected today, an 11% increase over the 7-day average of 63. No significant surge or drop was observed, indicating steady operational tempo from threat actors.
New Samples Detected
PowerShell scripts dominate today’s collection with 29 samples (41%), followed by 14 executables and 13 JavaScript files. The mix of .ps1, .js, and .bat files suggests continued reliance on living-off-the-land techniques to execute payloads. The presence of compressed archives (.rar, .zip, .gz, .tar) across 5 samples indicates persistence in using packed delivery chains.
Distribution Methods
File type distribution points to two primary delivery channels: phishing emails with weaponized attachments (.ps1, .js, .exe) and potentially malicious download links in archive files. The 29 PowerShell scripts suggest campaign operators are favoring script-based execution over compiled binaries, likely to evade static detection. The lack of .doc or .xls files is notable, diverging from common macro-driven campaigns seen in prior weeks.
Detection Rate
With 70 new IOCs generated from today’s samples, detection rates may be inconsistent across AV engines. The high volume of script-based samples (.ps1, .js, .bat) typically exhibits lower detection rates than compiled executables, as obfuscation techniques are easier to apply. SOC teams should not rely solely on signature-based detection for script variants.
C2 Infrastructure
No new C2 servers were identified today, a departure from typical activity levels. This could indicate reuse of existing infrastructure or a deliberate lull in C2 updates. The lack of geographic data for servers prevents regional attribution.
7-Day Trend
Today’s 70 samples represent a slight elevation over the week’s average of 63, maintaining a stable pattern without acceleration or decline. Activity levels have been consistent, likely reflecting ongoing campaign operations rather than a new offensive.
Security Analysis
The dominance of .ps1 files over .exe files marks a behavioral shift from Agent Tesla’s historical reliance on compiled payloads. This suggests actors are responding to improved EDR detection of executables by pivoting to script-based delivery. The complete absence of C2 infrastructure changes today is also atypical, hinting at possible staged operations where infrastructure updates occur on a different cadence from sample distribution. Actionable recommendation: Enable PowerShell script block logging and restrict execution policy to signed scripts only, as 41% of today’s samples exploit PowerShell for initial access.