Daily Summary
Agent Tesla activity shows a significant increase today, with 12 new samples representing a 50% rise over the 7-day average of 8. This surge is primarily driven by a notable shift towards script-based initial infection vectors.
New Samples Detected
The sample set is dominated by JavaScript files (.js), accounting for 9 of the 12 new samples. This marks a distinct pivot from the more common .exe or document-based payloads observed recently. The remaining samples consist of one .bat, one .exe, and one .vbs file, suggesting a multi-pronged, script-heavy campaign.
Distribution Methods
The prevalence of .js files indicates a continued reliance on malicious email campaigns distributing zipped attachments or using downloader scripts. The .bat and .vbs files likely serve as secondary downloaders or persistence mechanisms. This pattern aligns with campaigns using phishing lures to trick users into executing initial scripts that fetch the final Agent Tesla payload.
Detection Rate
Current detection rates for the new .js variants are moderately high among leading AV engines, though the sheer volume suggests automated generation with minor obfuscation changes. The singular .exe sample may represent a newer, less-detected loader variant and should be prioritized for analysis.
C2 Infrastructure
No new C2 servers were identified today, indicating actors are likely consolidating operations on existing, resilient infrastructure. This suggests a mature campaign phase where maintaining established communication channels is prioritized over infrastructure expansion.
7-Day Trend
Today’s spike interrupts a period of relatively steady activity, pushing the weekly trend upward. It remains to be seen if this represents a new sustained tempo or a short-lived surge.
Security Analysis
The tactical shift to a JavaScript-heavy delivery mechanism is notable. It bypasses reliance on macro-enabled documents and may exploit trust in .js files disguised as legitimate text documents. Compared to recent campaigns, this reflects an adaptation to improved macro security. A key defensive recommendation is to enhance email filtering to treat .js files in archives with high suspicion and to consider blocking or heavily restricting the execution of .js and .vbs files from user download directories and email attachments.