Daily Summary
Agent Tesla activity rose sharply on June 7, with 56 new samples detected - a 61% increase over the 7-day average of 35. The surge is driven entirely by a spike in JavaScript-based loaders (34 of 56 samples), suggesting a coordinated phishing campaign rather than organic growth.
New Samples Detected
JavaScript files dominated today’s collection, accounting for 60.7% of new samples (34 of 56). This is an anomalous distribution - historically, executable files (.exe) have been the primary delivery format for Agent Tesla, but today’s .exe count (17) was actually below the typical ratio. The remaining samples were .rar archives (2), a WSF script, a single DLL, and a .tar archive. The heavy reliance on .js suggests threat actors are testing or pivoting to script-based initial access to bypass email attachment filters that more aggressively block executables.
7-Day Trend
The 56 new samples represent a 61% deviation above the 7-day average of 35. This marks the second consecutive day of above-average volume, and the largest single-day count in the past two weeks. The trend line indicates the activity is not a one-off spike - yesterday’s count (42) also exceeded the average. If this pace continues tomorrow, it would confirm the start of a new campaign wave.
IOC Highlights
All 56 new samples were flagged as IOCs, but no new C2 servers were identified. This is notable: threat actors appear to be reusing existing command infrastructure while increasing sample volume. The absence of new C2 domains or IPs suggests either the current infrastructure is still operational and trusted, or that samples are deploying with delayed beaconing logic. Analysts should correlate existing C2 indicators against these new hashes.
Security Analysis
The shift from .exe to .js loaders mirrors a pattern observed in Agent Tesla campaigns during Q1 2026, when a similar JavaScript-heavy wave was followed by a rapid C2 rotation. Today’s lack of new C2 servers despite high sample output is suspicious - it may indicate the samples are staged but not yet beaconing, or that attackers are testing new delivery methods before committing fresh infrastructure. Defensive teams should prioritize blocking .js file execution via email gateways and enabling script host logging (e.g., cscript.exe execution events) for 48 hours, as the first beacon activity is likely imminent.