Daily Summary
Agent Tesla activity surged significantly on 2026-06-14, with 100 new samples detected against a 7-day average of 37, marking a 172% increase. This upward trend is driven by a sharp rise in .exe payloads and a notable uptick in JavaScript-based delivery.
New Samples Detected
Today’s sample set of 100 files is dominated by portable executables (.exe) with 64 samples, a 73% increase from the typical distribution. JavaScript files (.js) totaled 23, double the usual volume, suggesting a shift toward script-based initial access. Archive formats (.rar: 5, .zip: 1) remain minor vectors, while legacy script formats (.vbe: 1, .vbs: 1, .hta: 2) and a .tgz archive suggest opportunistic inclusion of older delivery methods. The single .uue file is unusual for modern Agent Tesla campaigns and may indicate an attempt to bypass email filters via UUencoded attachments.
7-Day Trend
The 7-day average of 37 has been exceeded by 172% today, a statistically significant surge. This is the highest single-day count observed in the 30-day window and may reflect a coordinated phishing push or an automated campaign launch. Defenders should expect elevated rates through the weekend, as threat actors often exploit lower staffing periods.
IOC Highlights
All 100 new samples provided unique IOCs today, adding 100 indicators to the tracker. The lack of new C2 servers suggests the existing infrastructure is being reused to handle the volume spike, consistent with load balancing or a retooled distribution pipeline. Analysts should monitor for re-registered or slightly altered C2 domains in the next 72 hours.
Security Analysis
The concurrent rise in .js and .exe samples today mirrors patterns seen in Agent Tesla campaigns targeting logistics and finance sectors in early 2026, where JavaScript droppers served as initial payloads before dropping final .exe files. However, the absence of new C2 servers while sample volume triples indicates the adversary is likely rotating existing IP addresses or using DNS fast-flux to maintain resilience. Defenders should prioritize blocking outbound traffic to known C2 IPs from prior months-this reuse suggests the campaign is operationalizing old infrastructure rather than standing up fresh channels, making historical blacklists highly effective today.