A newly uncovered phishing campaign is delivering Agent Tesla, one of the most widely used credential-stealing malware families, through a multi-stage attack chain that leaves almost no trace on a victim’s machine.
The campaign uses business-themed phishing emails, obfuscated scripts, and in-memory execution to silently harvest sensitive data from Windows users.
With its ability to run entirely in memory and evade security tools, this campaign shows how commercially available malware can become a serious threat in skilled hands.
Agent Tesla has been active since at least 2014 and remains a staple for cybercriminals due to its Malware-as-a-Service model, which lets even low-skilled attackers deploy it without building anything from scratch.
It steals browser credentials, captures keystrokes, extracts email account details, and sends that data quietly to an attacker-controlled server. Despite being well-known, it keeps updating its delivery methods to stay ahead of traditional defenses.
Fortinet researchers identified this latest campaign and noted that what makes it especially dangerous is not the malware itself but the layered pipeline built to deliver it.
The attack chain passes through multiple stages, each designed to bypass detection at a different point — from the first phishing email to the final payload running entirely in memory.
This level of planning shows the attackers understand how endpoint tools work and deliberately built the chain to avoid them.
The campaign starts with a phishing email posing as a business inquiry, with a subject line like “New Purchase Order PO0172.” Attached is a compressed RAR file (PO0172.rar) containing an obfuscated JScript Encoded file (PO0172.jse).
Using a .jse file rather than an executable is intentional — most email filters block .exe or .bat files but allow script files through. Once opened, the attack proceeds automatically without any further input from the victim.
.webp)
Phishing email with RAR attachment containing PO0172.jse (Source – Fortinet)
Stolen data is ultimately sent to the attacker’s command-and-control server at mail[.]taikei-rmc-co[.]biz via SMTP, following this chain: Email → RAR attachment → JScript loader (.jse) → PowerShell (downloaded) → PowerShell (in-memory) → .NET loader (in-memory) → .NET Agent Tesla payload (in-memory).
Inside the Attack: Memory Execution and Evasion
The most refined aspect of this campaign is how it moves from a simple script to a running payload without writing anything to disk.
After the JSE file runs, it contacts catbox[.]moe and fetches an encrypted PowerShell script, which uses a custom AES-CBC decryption function called Invoke-AESDecryption with PKCS7 padding to unpack the next stage directly in memory.
.webp)
By staying entirely in memory, the attack leaves no files for security tools to scan.
The second-stage PowerShell script performs process hollowing on aspnet_compiler.exe, a trusted Windows .NET utility at C:WindowsMicrosoft.NETFrameworkv4.0.30319.
It launches this process in a suspended state, clears its memory, and injects the Agent Tesla payload in its place. Since the malware runs under a trusted process name, signature-based tools will not flag it.
.webp)
Before collecting data, Agent Tesla checks its environment to confirm it is not being analyzed. It queries WMI to detect VMware, VirtualBox, or Hyper-V, and looks for DLLs like snxhk.dll (Avast), SbieDll.dll (Sandboxie), and cmdvrt32.dll (Comodo).
.webp)
If any are found, it may shut down entirely to keep its infrastructure hidden. Once clear, it harvests browser cookies, saved credentials, and contacts — packages them as text files and sends them out via SMTP.
Security teams should block script-based email attachments such as .jse and .js files at the gateway and enforce PowerShell execution restrictions through policy.
Endpoint tools that detect memory-based injection and process hollowing are critical for catching threats that avoid disk writes. Outbound SMTP traffic should be monitored for signs of active exfiltration.
Regular phishing awareness training for employees remains one of the most reliable defenses against social engineering campaigns like this one.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
