Daily Summary
New Agent Tesla samples surged to 20 today, a 119% increase over the 7-day average of 9, indicating a significant spike in distribution activity. The campaign is notably characterized by a heavy reliance on script-based initial access vectors.
New Samples Detected
Scripting files dominate the new samples, with JavaScript (.js) accounting for 9 of the 20 total, followed by VBS (.vbs) at 3. This represents a clear shift toward fileless and script-based delivery. The presence of archive files (.rar, .zip) and a disk image (.iso) suggests these scripts are being packaged within compressed or containerized formats to bypass perimeter defenses.
Distribution Methods
The file type distribution points to a primary delivery method of malicious email campaigns distributing compressed archives or ISO files. These contain the dominant .js and .vbs scripts, which execute to download and deploy the final Agent Tesla payload. This method leverages user interaction to bypass email security filters scanning for executable attachments.
Detection Rate
Current variants, particularly the new script-based droppers, show moderate detection rates by aggregate AV engines. The use of obfuscated scripts within less-suspicious container files (.iso, .rar) is likely creating a temporary evasion window for the initial stage before the core stealer payload, which is more widely recognized, is fetched.
C2 Infrastructure
No new C2 servers were identified today, suggesting actors are leveraging existing, resilient infrastructure. This indicates a possible consolidation of operations or the use of bulletproof hosting services to maintain communication channels despite the surge in endpoint samples.
7-Day Trend
Today’s sharp rise breaks a period of relatively low, steady activity observed over the past week, signaling a new, active campaign push rather than sustained background noise.
Security Analysis
The current shift to .js/.vbs loaders inside .iso files mirrors recent commodity phishing campaigns for other stealers, suggesting Agent Tesla actors are adopting more effective Tactics, Techniques, and Procedures (TTPs) from the broader threat landscape. The .iso file is a key evolution, as it can bypass traditional email attachment policies that block executables and scripts, mounting as a virtual drive to launch the contained script. A primary defensive recommendation is to treat .iso files from email with high suspicion and consider blocking them at the email gateway or disabling automatic mounting in Windows for endpoints.