Overview
Agent Tesla is a .NET-based infostealer and keylogger that has been active since at least early 2014, making it one of the longest-running malware families in its category. Originally marketed as a legitimate “remote monitoring” tool on a dedicated website (agenttesla.com, since taken down), it quickly became a staple of the cybercrime ecosystem due to its low cost, accessible interface, and broad feature set. Agent Tesla is sold through underground forums and Telegram channels, typically as a builder that allows operators to generate customized payloads. Despite its age, Agent Tesla consistently ranks among the most detected malware families globally, particularly in business email compromise and phishing campaigns targeting enterprises.
Capabilities
Agent Tesla functions as both a keylogger and a credential stealer. It captures keystrokes in real-time, takes periodic screenshots, and records clipboard contents. It extracts saved credentials, cookies, and autofill data from over 40 web browsers, as well as credentials from email clients (Outlook, Thunderbird), FTP clients (FileZilla, WinSCP, CoreFTP), VPN software, and download managers. One of Agent Tesla’s distinguishing features is its wide range of exfiltration channels: operators can configure data to be sent via SMTP (email), FTP upload, HTTP POST to a web panel, or directly to a Telegram bot. The malware includes anti-analysis features such as detecting virtual machines and sandbox environments, disabling Windows security features, and adding persistence through registry keys or scheduled tasks. Recent versions have added the ability to steal Wi-Fi profiles and credentials.
Distribution Methods
Agent Tesla is distributed almost exclusively through phishing emails, making it one of the most email-centric malware families. Common lure themes include purchase orders, shipping notifications, payment confirmations, tax documents, and COVID-19 related content. Delivery mechanisms have evolved over the years and include malicious Office documents with VBA macros, RTF files exploiting Equation Editor vulnerabilities (CVE-2017-11882 is heavily favored), ISO and IMG disc image attachments, RAR and ZIP archives with embedded executables, and more recently, OneNote files with embedded scripts. Multi-stage delivery chains are common, often involving a downloader or loader that fetches and executes Agent Tesla as a final payload. PowerShell and VBScript-based stagers are frequently used in these chains.
Notable Campaigns
Agent Tesla has been a fixture of phishing campaigns for over a decade. During the COVID-19 pandemic in 2020-2021, it was among the most widely distributed malware leveraging pandemic-themed lures, targeting healthcare organizations, government agencies, and logistics companies. In 2023, researchers observed a surge in Agent Tesla campaigns using the CVE-2017-11882 Equation Editor exploit embedded in RTF files, demonstrating how older vulnerabilities remain effective when targeting organizations with unpatched Office installations. Throughout 2024, Agent Tesla was heavily used in business email compromise operations targeting manufacturing, shipping, and financial services sectors across Asia, Europe, and the Americas. Its global reach and low barrier to entry make it a persistent threat across all industries.
Detection & Mitigation
Agent Tesla’s .NET framework makes it relatively amenable to static analysis and signature detection, though operators frequently use obfuscators (ConfuserEx, .NET Reactor, custom packers) to evade antivirus. Behavioral detection should monitor for processes performing keystroke hooking (SetWindowsHookEx with WH_KEYBOARD_LL), frequent screenshot capture via GDI+ APIs, and sequential credential database reads across multiple applications. Network-based detection should flag suspicious SMTP traffic from non-email applications, FTP uploads to uncommon destinations, and HTTP POST requests containing base64-encoded system information. Email security gateways should be configured to block or sandbox RTF attachments and flag Equation Editor exploit patterns. Mitigation priorities include patching Microsoft Office (especially CVE-2017-11882), disabling macros for users who do not require them, deploying email authentication (DMARC/DKIM/SPF) to reduce phishing delivery, and implementing application allowlisting to prevent execution of unknown .NET binaries.