Daily Summary
Agent Tesla activity surged to 78 new samples on June 21, 2026, a 73% increase over the 7-day average of 45. This marks a significant spike driven almost entirely by a 70% increase in JavaScript-based payloads, while other file types remain at baseline levels.
New Samples Detected
The file type distribution shifted heavily toward .js samples, which accounted for 54 of the 78 new detections (69%). This is a notable departure from the typical mix dominated by .exe and .vbs loaders. The .js samples likely serve as initial downloaders that retrieve secondary payloads from remote servers. Only 9 .exe files were observed, suggesting operators are testing a new delivery chain that favors script-based initial access over executable attachments.
7-Day Trend
Today’s count of 78 samples is 73% above the 7-day average of 45, crossing the 25% deviation threshold that warrants attention. The trend is rising, with .js samples driving the acceleration. The previous 6 days averaged 40 samples per day, making today’s surge a genuine anomaly rather than a gradual climb.
IOC Highlights
All 78 new samples yielded fresh IOCs (hashes, file names, or extraction indicators). The volume suggests a coordinated campaign rather than organic spread. Analysts should prioritize blocking .js file attachments and scripts with high entropy content, as these are likely the first stage in the current delivery chain.
Security Analysis
The disproportionate reliance on JavaScript loaders, rather than the conventional executable-first approach, mirrors tactics previously observed in Agent Tesla campaigns from late 2025 that targeted logistics firms. This shift reduces the likelihood of detection by endpoint protection that heavily scans PE files for known signatures. Defensive recommendation: Enable script blocking for .js and .vbs attachments in email gateways, and deploy behavioral detection rules for PowerShell and WScript processes spawning network connections to non-standard ports (8080, 8443, 4444).