home.social

#agenttesla — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #agenttesla, aggregated by home.social.

  1. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    Pulse ID: 69eaf82210e0ac6fd2a26c35
    Pulse Link: otx.alienvault.com/pulse/69eaf
    Pulse Author: Tr1sa111
    Created: 2026-04-24 04:57:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AgentTesla #CyberSecurity #HTML #InfoSec #OTX #OpenThreatExchange #Tesla #bot #Tr1sa111

  2. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  3. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  4. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  5. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  6. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  7. 2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

    A #pcap of the infection traffic, associated files, and a list of indicators are available at malware-traffic-analysis.net/2

    Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

    - tria.ge/260203-tvhlyahx7c
    - app.any.run/tasks/0840196f-2b8

  8. Cybercriminals are luring torrent users with a fake Leonardo DiCaprio movie, "One Battle After Another," hiding Agent Tesla RAT in subtitle files and disguised payloads. The stealthy chain uses Windows tools for fileless infection, keylogging, and data theft—stay safe! 🚨🎥💻 cyberinsider.com/malware-sneak #Cybersecurity #Malware #AgentTesla #Newz

  9. „One Battle After Another“-Torrent versteckt Malware in Untertitel‑Dateien

    Zu Weihnachten wird viel gestreamt. Doch: Vorsicht bei illegalen Quellen! Gerade frisch auf dem Markt: ein gefälschter Torrent des Leonardo DiCaprio-Films „One Battle After Another“. Gratis mit dabei die SpyWare Agent Tesla.

    Mehr: maniabel.work/archiv/783

    #SpyTool #AgentTesla #windows #PowerShellScript #infosec #infosecnews #BeDiS

  10. Watch out as fake torrent for DiCaprio’s “One Battle After Another” is spreading Agent Tesla malware through malicious subtitles and hidden scripts.

    Read: hackread.com/dicaprio-one-batt

    #Cybersecurity #AgentTesla #Malware #Windows #OneBattleAfterAnother

  11. 2025-02-12 (Wed): #VIP_Recovery (an #AgentTesla variant) from Brazil #malspam --> zip attachment --> extracted EXE.

    File name: Factura Gastos.exe

    Email accounts for data exfiltration: antonipont@grupobdb[.]com --> cludsewe3@gmail[.]com

    EXE available at: bazaar.abuse.ch/sample/c7620cc

  12. 2025-01-31 (Friday): Two pcaps with traffic of #AgentTesla-style data exfil.

    One #pcap has FTP exfil, while the other pcap is "VIP Recovery" and has SMTP exfil.

    Pcaps available at malware-traffic-analysis.net/2

  13. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  14. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  15. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  16. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  17. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  18. 2024-12-04 (Wednesday): #AgentTesla variant using FTP for data exfiltration.

    Don't know if this is OriginLogger Snake (Key) Logger, VIP Recovery/VIP Key Logger, but it's a variant of AgentTesla.

    I've posted a sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated #malware samples, and a list of indicators at malware-traffic-analysis.net/2

  19. 2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.

    It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.

    As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:

    PW = login credentials harvested from the infected windows host (passwords)

    CO = cookies and other data from web browsers on the infected host

    KL = Keylogger data from any collected keystrokes on the infected host.

    Attached disk image file: bazaar.abuse.ch/sample/7a11d2d

    Extracted AgentTesla EXE: bazaar.abuse.ch/sample/2362b4a

  20. CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

    #Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect

  21. Campagne #Malware #Italy Week 32
    🔥☠️💣👻

    #SnakeKeyLogger: Citazione
    #Guloader: Ordine
    #Formbook: Modulo bancario
    #AsyncRAT: Documento
    #RemcosRAT: Prezzi
    #AgentTesla: Preventivo
    #ModiLoader: Pagamento
    #StrRat: Ordine
    #RedLine: Quotazione
    #Vidar: Pagamento
    #Ousaban: Documento

    #mwitaly

  22. Campagne #Malware #Italy Week 29

    ☠️💣🔥👻
    #AgentTesla: Ordine
    #Formbook: Offerta
    #GuLoader: Fattura Elettronica
    #Remcos: Bank
    #Lokibot: Delivery
    #SmokeLoader: Pagamenti
    #Irata: Malware APK
    #RedLine: Offerta
    #Neshta: Ordine
    #Ousaban: Processo
    #SnakeKeylogger: Fattura

    #mwitaly

  23. Campagne #Malware #Italy Week 13

    👻💣🔥☠️
    #AgentTesla: Pagamenti
    #Remcos: Delivery
    #Irata: APK Bank
    #Phorpiex: Documenti
    #Guloader: Ordine
    #PlanetStealer: Conferma
    #Lokibot: Preventivo
    #Pikabot: Resend

    #mwitaly