Daily Summary
Agent Tesla activity declined sharply on 2026-05-07, with only 36 new samples detected against a 7-day average of 62, representing a 42% drop. This marks a significant cooling period following recent volatility, with no new C2 servers observed and volume falling well below the week’s normal range.
New Samples Detected
JavaScript files dominate today’s haul at 14 samples (39%), followed by 11 standalone executables (31%) and a long tail of supporting formats: two each for VBScript, RAR archives, PowerShell scripts, and single instances of .tar, .dll, .zip, .bat, and a suspicious .93763227 extension. The high proportion of script-based delivery (JS+VBS+PS1 totaling 18) suggests campaign operators are pivoting toward downloader chains rather than direct executable drops.
Distribution Methods
File types point to phishing-based delivery with JavaScript droppers serving as initial payloads, likely embedded in email attachments or hosted on compromised sites. The presence of RAR and ZIP archives indicates password-protected attachments remain common, while the solitary .93763227 file may represent an obfuscated or mislabeled artifact from a failed or unconventional campaign variant.
Detection Rate
Current antivirus catch rates for these new samples are unknown, but the presence of script-based loaders and multi-stage archives typically reduces detection by scanning engines. Security teams should assume moderate evasion potential, particularly for the .js and .ps1 files which can bypass static analysis if obfuscated.
C2 Infrastructure
No new C2 servers were observed today, suggesting existing infrastructure may be sufficient for current campaigns or that operators are rotating servers on a slower cadence. Sustained zero-new-server days could indicate preparation for a coordinated C2 shift later in the week.
7-Day Trend
Agent Tesla volume has been erratic over the past week, with today’s 36 samples representing a 42% reduction from the 7-day average and a notable drop from the week’s peak of 89 samples on May 4. Activity appears to be cooling after a mid-week surge, though the trend could reverse rapidly given the campaign’s history.
Security Analysis
Today’s data reveals a tactical shift toward script-based initial infection vectors, with JavaScript and PowerShell combined outpacing traditional executables. This aligns with threat actors adapting to increased email security filtering that prefers macro-less lures. Defenders should prioritize monitoring for suspicious .js file executions and restrict PowerShell execution policy to signed scripts only, as these script loaders often serve as the gateway for Agent Tesla’s keylogging and credential theft modules.