home.social

#agenttesla — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #agenttesla, aggregated by home.social.

  1. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    Pulse ID: 69eaf82210e0ac6fd2a26c35
    Pulse Link: otx.alienvault.com/pulse/69eaf
    Pulse Author: Tr1sa111
    Created: 2026-04-24 04:57:06

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AgentTesla #CyberSecurity #HTML #InfoSec #OTX #OpenThreatExchange #Tesla #bot #Tr1sa111

  2. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  3. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  4. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  5. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  6. Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

    This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

    Pulse ID: 69e991a65ee2b4802a077236
    Pulse Link: otx.alienvault.com/pulse/69e99
    Pulse Author: AlienVault
    Created: 2026-04-23 03:27:34

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

  7. 2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

    A #pcap of the infection traffic, associated files, and a list of indicators are available at malware-traffic-analysis.net/2

    Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

    - tria.ge/260203-tvhlyahx7c
    - app.any.run/tasks/0840196f-2b8

  8. Cybercriminals are luring torrent users with a fake Leonardo DiCaprio movie, "One Battle After Another," hiding Agent Tesla RAT in subtitle files and disguised payloads. The stealthy chain uses Windows tools for fileless infection, keylogging, and data theft—stay safe! 🚨🎥💻 cyberinsider.com/malware-sneak #Cybersecurity #Malware #AgentTesla #Newz

  9. „One Battle After Another“-Torrent versteckt Malware in Untertitel‑Dateien

    Zu Weihnachten wird viel gestreamt. Doch: Vorsicht bei illegalen Quellen! Gerade frisch auf dem Markt: ein gefälschter Torrent des Leonardo DiCaprio-Films „One Battle After Another“. Gratis mit dabei die SpyWare Agent Tesla.

    Mehr: maniabel.work/archiv/783

    #SpyTool #AgentTesla #windows #PowerShellScript #infosec #infosecnews #BeDiS

  10. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  11. Campagne #Malware #Italy Week 29

    ☠️💣🔥👻
    #AgentTesla: Ordine
    #Formbook: Offerta
    #GuLoader: Fattura Elettronica
    #Remcos: Bank
    #Lokibot: Delivery
    #SmokeLoader: Pagamenti
    #Irata: Malware APK
    #RedLine: Offerta
    #Neshta: Ordine
    #Ousaban: Processo
    #SnakeKeylogger: Fattura

    #mwitaly

  12. Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam

  13. 2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.

    It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.

    As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:

    PW = login credentials harvested from the infected windows host (passwords)

    CO = cookies and other data from web browsers on the infected host

    KL = Keylogger data from any collected keystrokes on the infected host.

    Attached disk image file: bazaar.abuse.ch/sample/7a11d2d

    Extracted AgentTesla EXE: bazaar.abuse.ch/sample/2362b4a

  14. CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

    #Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect

  15. Watch out as fake torrent for DiCaprio’s “One Battle After Another” is spreading Agent Tesla malware through malicious subtitles and hidden scripts.

    Read: hackread.com/dicaprio-one-batt

    #Cybersecurity #AgentTesla #Malware #Windows #OneBattleAfterAnother

  16. 2025-02-12 (Wed): #VIP_Recovery (an #AgentTesla variant) from Brazil #malspam --> zip attachment --> extracted EXE.

    File name: Factura Gastos.exe

    Email accounts for data exfiltration: antonipont@grupobdb[.]com --> cludsewe3@gmail[.]com

    EXE available at: bazaar.abuse.ch/sample/c7620cc

  17. 2025-01-31 (Friday): Two pcaps with traffic of #AgentTesla-style data exfil.

    One #pcap has FTP exfil, while the other pcap is "VIP Recovery" and has SMTP exfil.

    Pcaps available at malware-traffic-analysis.net/2

  18. 2024-12-04 (Wednesday): #AgentTesla variant using FTP for data exfiltration.

    Don't know if this is OriginLogger Snake (Key) Logger, VIP Recovery/VIP Key Logger, but it's a variant of AgentTesla.

    I've posted a sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated #malware samples, and a list of indicators at malware-traffic-analysis.net/2

  19. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  20. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  21. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  22. 2025-01-09 (Thursday):

    #CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

  23. In November, 2022 the most observed payload distributed through malware sites was #Amadey followed by #AgentTesla 🔥

    Having a look at unique malware sites reported to URLhaus, we see #Emotet being at the very top of our ranking ⏫

    Read more in our monthly malware digest:
    👉 t.co/4Yg710BJa2

  24. Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam

  25. Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam

  26. Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
    ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

    You can recognize ARJ archives by their Magic: 60 EA
    Extraction can be handled with 7zip for example.
    For more information on the file format check out Ange Albertini's excellent graphic representation: twitter.com/angealbertini/stat

    As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
    To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

    IoC for those playing along at home:
    162.0.223[.]13
    kbfvzoboss[.]bid
    alphastand[.]trade
    alphastand[.]win
    alphastand[.]top
    ➡️/alien/fre.php

    PO_Payment for invoice[...].eml.arj
    d0c8824d1e19ca1af0b88a477fa4cad6

    SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
    88bdf4f8fe035276da984c370e4cda2c

    #infosec #cybersecurity #blueteam