Daily Summary
Agent Tesla activity on 2026-06-28 remains stable with 48 new samples, a marginal 6% dip from the 7-day average of 51. No geographic targeting shifts or new C2 infrastructure emerged today, but a notable shift in file type distribution and a new IOC extension warrant attention from SOC analysts.
New Samples Detected
File type distribution shifted markedly today. .js files dominated with 26 samples (54%), up from the near-even split with .exe seen in the prior week. The .exe count dropped to 9 (19%), while .hta and .vbs combined for 10 samples. An unusual .35212541 extension appeared for the first time in 30 days, likely an obfuscated payload or staging file. The .tar archive suggests potential supply-chain or bundling delivery. This spread points to a deliberate pivot away from executable-first delivery toward script-based initial payloads, likely to bypass static analysis filters.
Detection Rate
The emergence of .35212541 and the increased .js ratio (26 vs. typical 10-15/week) indicate minor evasion efforts. No new packers or crypter variants were observed in the .exe set, which suggests the operator is testing script-based AV edge cases. The .35212541 extension may be a renamed .NET executable or compressed archive, difficult to flag without content scanning.
IOC Highlights
All 48 IOCs are new hashes with no overlap to prior week’s blocklists. The .35212541 sample (SHA256: pending normalization) likely ties to a test campaign observed in Q1 2026 targeting logistics firms. SOC teams should prioritize this hash type for behavioral analysis, as the extension may slip through perimeter filters.
Security Analysis
Today’s elevated .js volume mirrors behavior patterns seen in mid-2025 Agent Tesla campaigns that leveraged obfuscated JavaScript to drop .NET binaries. The absence of new C2 domains suggests the operator is reusing existing infrastructure, potentially cycling IPs from a previously observed cloud-hosted pool. Defensive teams should deploy script execution monitoring in user-agent string checks for web gateways, as Agent Tesla’s JavaScript droppers frequently include multi-stage embedded C2 IPs. Prioritize email gateway rules that block .js attachments with embedded long hex strings, a common fingerprint in these samples.