Agent Tesla continues to cement its status as one of the most persistent remote access trojans (RATs) in the global threat landscape.
Known for its data‑stealing capabilities and extensive distribution network, this malware remains a weapon of choice for low‑skilled cybercriminals seeking sophisticated results.
The latest variant follows a multi‑stage delivery sequence involving several fileless and in‑memory techniques:
Email → RAR attachment → JScript loader (.jse) → PowerShell (downloaded) → PowerShell (in‑memory execution) → .NET loader (in‑memory) → Agent Tesla payload (.NET, in‑memory)
This chain demonstrates the emphasis on memory‑based execution and the absence of persistent filesystem artifacts, complicating traditional detection methods.
A recent campaign highlights how the threat actors behind Agent Tesla have refined their tactics through a blend of phishing, encrypted scripting, and advanced evasion techniques.
Phishing‑Led Agent Tesla Campaign
Stage 1: Phishing Entry Point
The infection begins with a deceptive business email crafted to appear as a purchase inquiry.
- Lure: The email’s subject line such as “New purchase order PO0172” creates urgency and legitimacy.
- Attachment: The enclosed PO0172.rar archive conceals an obfuscated JSE file rather than an executable, helping it bypass email security filters.
- Execution: Once launched, the script initiates the next phase hidden behind layers of encoding.
Stage 2: Encrypted Script Evasion
Upon execution, the JavaScript‑encoded loader connects to the external hosting site catbox[.]moe to fetch a secondary PowerShell script.
This downloaded script remains AES‑encrypted until decrypted directly in memory using a custom Invoke‑AESDecryption routine.
By avoiding disk writes, it leaves virtually no trace for forensic or endpoint detection tools to analyze. The decrypted payload prepares the environment for process hollowing one of the most stealthy tactics in the malware’s arsenal.
Stage 3: In‑Memory Process Hollowing
Next, the PowerShell script initiates process hollowing by targeting a legitimate Windows process:
C:WindowsMicrosoft.NETFrameworkv4.0.30319Aspnet_compiler.exe.
Two Base64‑encoded assemblies are injected into the process after it is launched in a suspended state.
The legitimate code is removed (“hollowed out”) and replaced with Agent Tesla’s malicious payload. As a result, the malware operates under the guise of a trusted Windows component, effectively concealing its activity from behavioral monitoring solutions.
Stage 4: Anti‑Analysis and Environment Checks
Before performing data theft, the malware runs multiple sanity checks to identify whether it is being examined in a virtual or sandboxed environment.
It queries WMI for virtualization strings such as “VMware,” “VirtualBox,” or “Microsoft Corporation.” It also scans for known sandbox and security DLLs, including snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo).
If these indicators are detected, the malware halts execution, ensuring its C2 capabilities remain undiscovered by researchers.
Stage 5: Data Theft and C2 Communication
With its environment verified, Agent Tesla begins harvesting credentials and system data. It extracts browser cookies and account details, collecting hostnames, expiry timestamps, and associated security flags.
Additional stolen data, often stored as text files, is transmitted out via SMTP to attacker‑controlled mail servers such as mail[.]taikei-rmc-co[.]biz.
Researchers noted several bounced messages from the same domain, suggesting large‑scale exfiltration attempts.
This phishing‑led Agent Tesla campaign underscores how even well‑known malware continues to evolve through modularity and stealth.
By adopting process hollowing, encrypted scripts, and anti‑analysis checks, it effectively mimics the behavior of advanced persistent threats.
Despite relying on simple delivery methods, its in‑memory execution chain and layered evasion make it exceptionally difficult to detect keeping Agent Tesla firmly positioned as a dominant player in the modern cybercrime ecosystem.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
