Daily Summary
Activity for Agent Tesla has resumed after a period of dormancy, with 22 new samples detected. This represents the first activity recorded in the current 7-day tracking window, resulting in a stable trend designation due to the comparison against a zero average. The absence of prior samples this week makes this a notable re-emergence.
New Samples Detected
JavaScript files (.js) dominate the new samples, comprising 16 of the 22 detections. This is a significant shift towards scripting-based initial infection. The remaining samples include four .exe executables, one malicious .doc document, and one .ace archive, indicating a multi-format delivery strategy.
Distribution Methods
The prevalence of .js files strongly suggests ongoing phishing campaigns distributing malicious scripts, often disguised as invoices or shipping documents. The single .doc file likely contains macros, while the rare .ace archive file indicates attackers are testing less common compression formats to potentially bypass perimeter defenses that focus on .zip or .rar.
Detection Rate
Current variants show a mixed detection rate. The .exe and .doc samples are widely flagged by AV engines, but the newer .js loaders and the .ace archive demonstrate lower initial detection, suggesting ongoing efforts to evade signature-based detection through file type and obfuscation choices.
C2 Infrastructure
No new command-and-control servers were identified in conjunction with today’s samples. This suggests actors are likely leveraging established, resilient infrastructure or using temporary, hard-coded endpoints within the malware that have not yet been resolved or flagged.
7-Day Trend
Today’s detection of 22 samples breaks a week of no observed activity. This pattern is consistent with Agent Tesla’s distribution in sporadic, concentrated campaigns rather than a constant low-volume stream.
Security Analysis
The introduction of an .ace archive is a minor but notable tactic change, as this format is infrequently used in business and may not be as rigorously scrutinized by security tools. This, combined with the heavy use of .js files, points to a focus on exploiting gaps in user awareness and content filtering policies. Defensive priority should be placed on blocking executable script files (.js, .vbs, .hta) at the email gateway and implementing application allowlisting to prevent the execution of uncommon archive utilities like ACE archivers on endpoints.