Daily Summary
Agent Tesla activity has surged significantly, with 45 new samples detected today. This represents a 162% increase over the 7-day average of 17 samples, indicating a sharp, elevated campaign is underway.
New Samples Detected
JavaScript (.js) files are the dominant delivery vector, comprising over half of today’s samples (23). This is a notable pivot from more traditional executable-heavy distributions. The presence of .tar archives (6) and a .zip file suggests threat actors are bundling multiple payloads or tools in a single delivery.
Distribution Methods
The heavy use of .js and .vbs files points to continued reliance on script-based delivery, likely via phishing emails with malicious attachments or links to download these scripts. The .tar archives may be used to deliver the malware disguised as software installers or documents, potentially targeting users in technical or business environments.
Detection Rate
Current detection rates for these new script-based variants are moderately high among major AV vendors. However, the use of .tar archives and the specific obfuscation within the .js files may provide a temporary evasion window for less robust security stacks before signatures are widely updated.
C2 Infrastructure
No new Command and Control (C2) servers were identified today. This suggests actors are likely leveraging established, resilient infrastructure or using compromised websites for data exfiltration, avoiding the operational overhead of spinning up new domains that could be quickly blacklisted.
7-Day Trend
Today’s massive spike breaks a period of relatively low, steady activity observed over the past week. This pattern is consistent with a concentrated spam campaign or a new exploit kit integration being activated.
Security Analysis
The significant shift towards JavaScript payloads, coupled with archive files, indicates a tactical adaptation to bypass email gateways that often filter executables but may allow scripts and archives. This mirrors recent campaigns where attackers use living-off-the-land techniques (LOLBins) executed by scripts to deploy the final stealer payload. Recommendation: Enhance email security rules to flag or sandbox .js and .vbs attachments from untrusted sources, even when inside archive files. Furthermore, implement application allowlisting to prevent the execution of scripting hosts (like wscript.exe) from user profile directories, a common technique in these attacks.