Daily Summary
Agent Tesla activity on 2026-05-31 declined to 32 new samples, a 19% drop below the 7-day average of 39. The sample set shows an unusual shift toward JavaScript-based loaders (12 .js files), and no new C2 servers were observed for the first time in the current tracking window.
New Samples Detected
The distribution of file types today reveals a notable pivot toward script-based initial access. Of the 32 samples, 12 were .js files and 1 was a .jse file, collectively accounting for 40% of the total. This is a marked departure from the typical .exe-heavy distribution, where executables normally represent 50-60% of daily samples. The .exe count was 14 (44%), with a single .dll, .vbs, .bat, .7z, and .r15 sample each. The presence of a .r15 archive (likely a multi-part RAR file) is unusual for Agent Tesla and may indicate an attempt to evade email attachment filters that block common archive formats like .zip or .rar. The .7z format is also less common and aligns with threat actors testing alternative compression to bypass detection.
7-Day Trend
The 19% decline from the 7-day average is notable but does not cross the 25% threshold for a significant deviation. However, the composition of samples shifted more sharply than the volume. The ratio of script-based samples (.js and .jse) to executables today (13:14) is the highest observed in the past 14 days. This suggests the decline is not because of reduced activity but rather a tactical shift in delivery methodology, possibly indicating a new phishing campaign template or builder outputting script-based payloads.
IOC Highlights
All 32 new IOCs are file hashes (MD5/SHA256) with no new C2 domains or IPs identified. This is the first day in the current reporting period with zero new C2 infrastructure. Analysts should note that the absence of C2 updates may indicate the reuse of existing, unblocked infrastructure or a temporary pause in server rotation. The hash-based IOCs cover a mix of .exe, .js, .dll, and compressed archive samples, with the .r15 and .7z files warranting priority review given their uncommon use in Agent Tesla campaigns.
Security Analysis
The simultaneous decline in total samples and shift toward JavaScript payloads, combined with zero new C2 infrastructure, suggests this is not a retreat but a deliberate campaign reset. The 13 script-based samples likely use WScript or cscript execution chains, which many endpoint detection rules treat as lower priority than PE files. Defenders should prioritize creating YARA rules that detect Agent Tesla-specific strings (e.g., SMTP configurations, keylogging function names) within JavaScript or VBScript files, not just within executables, and enforce script execution policies (e.g., AppLocker or WDAC) on email gateway-triggered downloads.