Daily Summary
Agent Tesla activity remains at its established baseline with 22 new samples identified, matching the 7-day average exactly. The trend is stable, showing no significant surge or decline in volume. The lack of new C2 servers suggests actors may be consolidating operations on existing infrastructure.
New Samples Detected
JavaScript (.js) files continue to dominate new submissions, comprising 15 of the 22 samples. This is consistent with ongoing campaigns using script-based delivery. The presence of a single .doc file and an anomalous “.26413493” extension-likely a renamed executable-indicates minor, ongoing experimentation with file types to potentially bypass simple filters.
Distribution Methods
The heavy use of .js files points to phishing campaigns distributing malicious archives or links to script files, relying on social engineering to execute the payload. The lone .doc file suggests a parallel, lower-volume effort using macro-enabled documents, a historically common vector for this family.
Detection Rate
Current variants are generally well-detected by major antivirus engines due to Agent Tesla’s long-established signatures. However, the consistent stream of new samples, particularly the .js files, indicates ongoing attempts at obfuscation and code modification that may temporarily lower detection rates for newer variants until signatures are updated.
C2 Infrastructure
No new C2 servers were identified today. This lull in infrastructure expansion could indicate a period of operational consolidation, where threat actors are focusing on leveraging existing, potentially resilient servers rather than deploying new, easily blocklisted ones.
7-Day Trend
Activity has been remarkably consistent over the past week, hovering at the 22-sample daily average. This indicates a steady, automated, and likely high-volume distribution pipeline rather than sporadic, targeted campaigns.
Security Analysis
The persistent use of .js files, coupled with the appearance of a file with a random numeric extension, highlights a continued focus on defeating extension-based blocking rules. This tactic is low-sophistication but effective against organizations that primarily filter on known-bad extensions like .exe or .scr. A proactive defensive recommendation is to implement application allowlisting where feasible, and to monitor for and block the execution of scripting engines (like wscript.exe) from unusual user directories such as Downloads or Temp.