Daily Summary
A significant surge in Agent Tesla activity was observed today, with 45 new samples identified. This represents a 320% increase over the 7-day average of 11 samples, indicating a sharp rise in distribution efforts. The campaign shows a clear preference for scripting-based initial infection vectors.
New Samples Detected
The new samples are overwhelmingly script-based, with JavaScript (.js) files comprising nearly half (22) of the total. Visual Basic Script (.vbs) files follow with 9 samples. Compiled executables (.exe) account for 8 samples, while a small number of archive files (.tar, .rar, .zip, .iso) suggest secondary payload packaging.
Distribution Methods
The dominance of .js and .vbs files points to continued reliance on malicious email campaigns, where scripts are attached or linked to evade initial static analysis of binaries. The presence of archive and disk image files (.iso) indicates attempts to bypass email filters that block executables, smuggling the final payload inside these containers.
Detection Rate
Current variants show moderate detection rates by major AV engines. However, the heavy use of obfuscated scripts and the small number of new, packed .exe files suggest ongoing attempts to lower detection scores. The script-based initial access may bypass defenses configured primarily for executable threats.
C2 Infrastructure
No new Command and Control (C2) servers were identified today. This suggests actors are likely leveraging existing, resilient infrastructure or using temporary, disposable domains not yet resolved in our collection. Geographic patterns for C2 could not be determined from today’s samples.
7-Day Trend
Today’s massive spike breaks a period of relatively low, steady activity observed over the past week. This pattern is consistent with a concentrated spam campaign or a new payload variant being deployed in bulk.
Security Analysis
A notable shift is the re-emergence of .tar archives alongside more common .rar and .zip files, which may be an attempt to exploit less common archive handlers in corporate environments. Compared to recent campaigns, the high script-to-binary ratio indicates a focus on social engineering over technical exploitation. Defensive teams should prioritize enhancing email security rules to flag and detonate .js and .vbs files from untrusted sources, and consider blocking or sandboxing .iso and .tar file attachments at the gateway.