After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge – Source:hackread.com https://ciso2ciso.com/fakeupdates-remcos-agenttesla-top-malware-charts-in-stealth-attack-surge-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Hackread #security #malware #Remcos

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge https://hackread.com/fakeupdates-remcos-agenttesla-malware-attack-charts/ #Cybersecurity #CyberAttack #FakeUpdates #AgentTesla #Security #Malware #Remcos

2025-02-12 (Wed): #VIP_Recovery (an #AgentTesla variant) from Brazil #malspam --> zip attachment --> extracted EXE.

File name: Factura Gastos.exe

Email accounts for data exfiltration: antonipont@grupobdb[.]com --> cludsewe3@gmail[.]com

EXE available at: https://bazaar.abuse.ch/sample/c7620ccaf9c2d47ba08cf85e65e55ea974f8887e18d96574a1aa63f09e836451/

2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174

2025-01-31 (Friday): Two pcaps with traffic of #AgentTesla-style data exfil.

One #pcap has FTP exfil, while the other pcap is "VIP Recovery" and has SMTP exfil.

Pcaps available at https://www.malware-traffic-analysis.net/2025/01/31/index.html

New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack – Source:hackread.com https://ciso2ciso.com/new-tornet-backdoor-exploits-tor-network-in-advanced-phishing-attack-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #backdoor #Hackread #Phishing #security #Germany #malware #Poland #TorNet #Tor

New TorNet Backdoor Exploits TOR Network in Advanced Phishing Attack https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/ #Cybersecurity #Vulnerability #PhishingScam #CyberAttack #AgentTesla #Security #backdoor #Phishing #Malware #Germany #Poland #TorNet #Tor

2025-01-09 (Thursday):

#CVE-2017-0199 Excel (#XLS) file --> #HTA --> #VBS --> #steganography --> #DBatLoader or #GuLoader style malware for #AgentTesla. Data exfil over FTP. A #pcap from an infection, the associated malware, and more info available at www.malware-traffic-analysis.net/2025/01/09/index.html

2024-12-04 (Wednesday): #AgentTesla variant using FTP for data exfiltration.

Don't know if this is OriginLogger Snake (Key) Logger, VIP Recovery/VIP Key Logger, but it's a variant of AgentTesla.

I've posted a sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated #malware samples, and a list of indicators at https://www.malware-traffic-analysis.net/2024/12/04/index.html

2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.

It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.

As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:

PW = login credentials harvested from the infected windows host (passwords)

CO = cookies and other data from web browsers on the infected host

KL = Keylogger data from any collected keystrokes on the infected host.

Attached disk image file: https://bazaar.abuse.ch/sample/7a11d2d4ea5b0bf486c6e6695ff919e58aa54babb77061f4bbfe476ce1ec1738

Extracted AgentTesla EXE: https://bazaar.abuse.ch/sample/2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714

CapLoader wasn’t designed as an alternative to a traditional NIDS, but the Alerts tab often gives a VERY good overview of the malicious traffic. Here’s a screenshot of CapLoader’s alerts for some recent PCAP files from malware-traffic-analysis.net.

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware https://gbhackers.com/horus-protector-malware/ #CyberSecurityNews #HorusProtector #CyberAttack #agenttesla #VBEScript #Malware

Campagne #Malware #Italy Week 29

#AgentTesla: Ordine
#Formbook: Offerta
#GuLoader: Fattura Elettronica
#Remcos: Bank
#Lokibot: Delivery
#SmokeLoader: Pagamenti
#Irata: Malware APK
#RedLine: Offerta
#Neshta: Ordine
#Ousaban: Processo
#SnakeKeylogger: Fattura

Found this user on the @internetarchive hosting images with embedded base64 encoded #malware between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved #RemcosRAT

User page: https://archive.org/details/@nodetectonn
Remcos: hxxps://petshopsirena[.]mk/a.txt
#c2 : 45.95.169[.]135:2404

I found samples dropping others such as #agenttesla and #formbook as well.

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals.

https://hackread.com/phishing-campaign-stealthy-jpgs-drop-agent-tesla/

New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla https://hackread.com/phishing-campaign-stealthy-jpgs-drop-agent-tesla/ #Cybersecurity #PhishingScam #CyberAttack #AgentTesla #Security #Phishing #Malware #Windows #Scam

Belarusian Government-Linked Threat Actor ‘UNC1151’ Targets Ukraine’s Ministry of Defense https://thecyberexpress.com/unc1151-targets-ukraine-ministry-of-defense/ #UkrainesMinistryofDefence #TheCyberExpressNews #CybersecurityNews #cybersecuritynews #CRILresearchers #TheCyberExpress #FirewallDaily #cybersecurity #ThreatActors #cobaltstrike #AgentTesla #Phishing #njRAT #CRIL

Foxit PDF Exploit: Ein unbedachter Klick löst Angriffskette aus
#ITSicherheit #AgentTesla #DoNotTeam #Exploid #FOXITPDF #FoxitReader #pdf https://sc.tarnkappe.info/17d3b6

AgentTesla sempre più evasivo. L’utilizzo del CLR .NET consente attacchi fileless

Nell’ambito della recente campagna #malware #AgentTesla, discussa in dettaglio da #SonicWall, gli aggressori hanno utilizzato #macro #VBA nei documenti #Word per eseguire un #attacco fileless #injection, in cui il #payload dannoso viene caricato direttamente nella #RAM del computer.

#redhotcyber #online #it #ai #hacking #innovation #privacy #cybersecurity #technology #engineering #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity

https://www.redhotcyber.com/post/agenttesla-sempre-piu-evasivo-lutilizzo-del-clr-net-consente-attacchi-fileless/