#agenttesla — Public Fediverse posts

Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.

Pulse ID: 69e991a65ee2b4802a077236
Pulse Link: https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236
Pulse Author: AlienVault
Created: 2026-04-23 03:27:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #AgentTesla #CyberSecurity #Google #HTML #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #PowerShell #RAT #Tesla #Troll #ZIP #bot #AlienVault

2026-02-03 (Tuesday): #GuLoader for #AgentTesla style malware with FTP data exfiltration.

A #pcap of the infection traffic, associated files, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/02/03/index.html

Two online sandboxes tag this sample as AgentTesla, but I'm not sure what the actual name of this malware is.

- https://tria.ge/260203-tvhlyahx7c
- https://app.any.run/tasks/0840196f-2b8f-415c-8ca7-af0c8f394b0d

📬 „One Battle After Another”: Torrent versteckt Malware in Untertiteln
#Cyberangriffe #ITSicherheit #Warez #AgentTesla #BeniciodelToro #Bitdefender #LeonardoDiCaprio #OneBattleAfterAnother #SeanPenn https://sc.tarnkappe.info/d99b71

„One Battle After Another“-Torrent versteckt Malware in Untertitel‑Dateien

Zu Weihnachten wird viel gestreamt. Doch: Vorsicht bei illegalen Quellen! Gerade frisch auf dem Markt: ein gefälschter Torrent des Leonardo DiCaprio-Films „One Battle After Another“. Gratis mit dabei die SpyWare Agent Tesla.

Mehr: https://maniabel.work/archiv/783

#SpyTool #AgentTesla #windows #PowerShellScript #infosec #infosecnews #BeDiS

Torrent for DiCaprio’s “One Battle After Another” Movie Drops Agent Tesla https://hackread.com/dicaprio-one-battle-after-another-torrent-agent-tesla/ #FakeOneBattleAfterAnother #Cybersecurity #bitdefender #CyberAttack #AgentTesla #Security #Malware #Torrent #Movies #Fraud #Scam

Top 3 Malware Families in Q4: How to Keep Your SOC Ready https://hackread.com/top-3-malware-families-in-q4-how-to-keep-your-soc-ready/ #ThreatIntelligence #Cybersecurity #Vulnerability #LummaStealer #AgentTesla #Security #Malware #ANYRUN #XWorm #SOC

2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174

2025-01-09 (Thursday):

#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.

It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.

As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:

PW = login credentials harvested from the infected windows host (passwords)

CO = cookies and other data from web browsers on the infected host

KL = Keylogger data from any collected keystrokes on the infected host.

Attached disk image file: https://bazaar.abuse.ch/sample/7a11d2d4ea5b0bf486c6e6695ff919e58aa54babb77061f4bbfe476ce1ec1738

Extracted AgentTesla EXE: https://bazaar.abuse.ch/sample/2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714

CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

#Lumma #GootLoader #AgentTesla #RURAT #Remcos #RedLine #BackConnect

Campagne #Malware #Italy Week 29

☠️💣🔥👻
#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura

#mwitaly

Belarusian Government-Linked Threat Actor ‘UNC1151’ Targets Ukraine’s Ministry of Defense https://thecyberexpress.com/unc1151-targets-ukraine-ministry-of-defense/ #UkrainesMinistryofDefence #TheCyberExpressNews #CybersecurityNews #cybersecuritynews #CRILresearchers #TheCyberExpress #FirewallDaily #cybersecurity #ThreatActors #cobaltstrike #AgentTesla #Phishing #njRAT #CRIL

Here's some data analysis on the victims of the popular infostealer #AgentTesla aka #OriginLogger🔑⌨️🪵 https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims

Campagne #Malware #Italy Week 41

🔥 Persistenti
#Ursnif: #AgenziaEntrate
#DarkGate: Resend link a ZIP
#AgentTesla: Pagamento

💣 D'eccezione
#RemcosRat: Pagamento
#Lokibot: Bank
#ScreenConnect: Fattura PDF

#mwitaly

📬 Malware-Gefahren im Jahr 2023: Qbot unangefochten auf Platz eins
#ITSicherheit #Malware #AgentTesla #CheckPointSoftware #DirectoryTraversal #log4j #NanoCore #Qakbot #RemoteCodeExecution #RemoteAccessTrojaner https://tarnkappe.info/artikel/it-sicherheit/malware/malware-gefahren-im-jahr-2023-qbot-unangefochten-auf-platz-eins-275138.html

Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader

You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264

As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe

IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php

PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6

SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c

#infosec #cybersecurity #blueteam