Daily Summary
Agent Tesla activity surged today with 21 new samples, representing a 227% increase over the 7-day average of 6. This sharp rise indicates a significant new distribution campaign is underway. The lack of new C2 servers suggests the campaign is leveraging established infrastructure.
New Samples Detected
Script-based files dominate today’s submissions, with JavaScript (.js) accounting for 15 of the 21 samples. This is a pronounced shift from typical Agent Tesla deployments, which more commonly use executable files. The remaining samples consist of VBScript (.vbs), executable (.exe), and a single batch (.bat) file, indicating a multi-vector approach within the same campaign.
Distribution Methods
The heavy use of .js and .vbs files strongly suggests a phishing campaign distributing malicious scripts as email attachments, likely disguised as invoices or shipping documents. This method relies on social engineering to prompt execution, bypassing initial perimeter defenses that may focus on executable files.
Detection Rate
Current vendor detection rates for these script variants are moderately high, but the specific obfuscation techniques in the new .js files show lower detection scores than the .exe samples. This indicates the scripting variants may have been recently modified to evade signature-based detection.
C2 Infrastructure
No new C2 servers were identified today. All new samples communicated to previously known infrastructure, which remains geographically dispersed. This suggests actors are consolidating operations on resilient, established servers rather than deploying new, easily blacklisted endpoints.
7-Day Trend
Today’s spike breaks a pattern of low, steady activity observed over the past week, where daily samples fluctuated between 3 and 9. This single-day surge represents a clear campaign launch.
Security Analysis
The tactical shift to script-based payloads (.js/.vbs) over executables allows attackers to bypass application allow-listing policies that may not adequately restrict Windows Script Host. This mirrors a broader malware trend of “living-off-the-land.” A key defensive recommendation is to implement granular logging and monitoring for cscript.exe and wscript.exe processes, particularly those spawning from temporary directories or user downloads, to detect the execution chain of these script-based infostealers.