Daily Summary
Agent Tesla sample collection recorded 42 new samples on 2026-05-05, a 30% decline from the 7-day average of 60. This drop marks a continued cooling period after a surge observed earlier in the week. No new C2 servers were identified, suggesting operators may be rotating existing infrastructure.
New Samples Detected
JavaScript files dominate today’s haul with 13 samples, followed by executables (9) and PowerShell scripts (5). Notably, a file with an appended numeric extension (.93763227) appeared once, likely a renamed or obfuscated payload. The lack of macro-enabled Office files indicates a shift away from document-based delivery this week. Compressed archives (RAR, ZIP, TAR) remain minimal at 7 total, suggesting reduced use of multi-stage payloads.
Distribution Methods
Today’s file types point to phishing emails as the primary vector, with JavaScript attachments and PowerShell scripts facilitating initial execution. The .js files likely drop or fetch the main payload from remote servers. The absence of .docm or .xlsm files contrasts with previous campaigns that relied heavily on macro-based lures. Bat and VBS scripts are present but low in volume, serving supplementary execution roles.
Detection Rate
Most major AV engines detect older Agent Tesla variants reliably, but the 9 .exe and 5 .ps1 samples may use simple packing or obfuscation to evade signature-based checks. The singular .93763227 file likely bypasses static scanning due to its unconventional extension.
C2 Infrastructure
No new C2 servers were observed today, consistent with the lower sample count. Previous Agent Tesla C2s have been tied to SMTP-based exfiltration rather than dedicated panels, so the void may indicate temporary deactivation or reuse of older endpoints.
7-Day Trend
After a mid-week spike, Agent Tesla activity has declined over the last 48 hours to 42 samples, 30% below the weekly average. This pattern suggests a tactical lull rather than sustained reduction, as operators may be repositioning campaigns.
Security Analysis
Agents Tesla’s shift away from macro-enabled documents and toward JavaScript and PowerShell aligns with broader adversary adaptation to Microsoft’s macro-blocking policy. Defenders should prioritize monitoring script-based execution chains, especially .js files that fetch remote payloads. Actionable recommendation: block execution of JavaScript via Windows Script Host for non-admin users and enable AMSI for PowerShell to catch in-memory payloads.