After years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

2025-02-07 (Friday): Today's boring example of #malpsam pushing #GuLoader for #AgentTesla style malware. EXE of this malware available at https://bazaar.abuse.ch/sample/833aae0bc34e211145371b619b7c542864e9f864e26de1690fd2f6be76fcb174

2024-12-04 (Wednesday): #AgentTesla variant using FTP for data exfiltration.

Don't know if this is OriginLogger Snake (Key) Logger, VIP Recovery/VIP Key Logger, but it's a variant of AgentTesla.

I've posted a sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated #malware samples, and a list of indicators at https://www.malware-traffic-analysis.net/2024/12/04/index.html

2024-11-25 (Monday): I love it when criminals email malware directly to my inbox. This one is #AgentTesla (or #OriginLogger or whatever it's called now) using FTP for data exfiltration.

It sends harvested login credentials, browser cookies and keylogger data to an FTP server at ftp.ercolina-usa[.]com approx every 10 minutes.

As noted in one of the images, two-letter indicators in the file names indicate the type of exfiltrated data:

PW = login credentials harvested from the infected windows host (passwords)

CO = cookies and other data from web browsers on the infected host

KL = Keylogger data from any collected keystrokes on the infected host.

Attached disk image file: https://bazaar.abuse.ch/sample/7a11d2d4ea5b0bf486c6e6695ff919e58aa54babb77061f4bbfe476ce1ec1738

Extracted AgentTesla EXE: https://bazaar.abuse.ch/sample/2362b4a5329f506af677d1e4cac2b92da252afdf4842bf4e8796b43c4ccb6714

Found this user on the @internetarchive hosting images with embedded base64 encoded #malware between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved #RemcosRAT

User page: https://archive.org/details/@nodetectonn
Remcos: hxxps://petshopsirena[.]mk/a.txt
#c2 : 45.95.169[.]135:2404

I found samples dropping others such as #agenttesla and #formbook as well.

AgentTesla sempre più evasivo. L’utilizzo del CLR .NET consente attacchi fileless

Nell’ambito della recente campagna #malware #AgentTesla, discussa in dettaglio da #SonicWall, gli aggressori hanno utilizzato #macro #VBA nei documenti #Word per eseguire un #attacco fileless #injection, in cui il #payload dannoso viene caricato direttamente nella #RAM del computer.

#redhotcyber #online #it #ai #hacking #innovation #privacy #cybersecurity #technology #engineering #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity

https://www.redhotcyber.com/post/agenttesla-sempre-piu-evasivo-lutilizzo-del-clr-net-consente-attacchi-fileless/

RHC da Vita all’Operazione Pollicino: alla caccia di Agent Tesla

In questo articolo andremo ad analizzare come funziona un #infostealer, nello specifico #AgentTesla, un #malware che ha come obiettivo la sottrazione di #dati sensibili come #password, contatti mail ed accessi vari.

#redhotcyber #online #it #ai #hacking #innovation #privacy #cybersecurity #technology #engineering #cybercrime #intelligence #intelligenzaartificiale #informationsecurity #ethicalhacking #dataprotection #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #infosecurity

https://www.redhotcyber.com/post/rhc-da-vita-alloperazione-pollicino-alla-caccia-di-agent-tesla/

@xme of SANS ISC provides a case study on a malicious PDF linked to AgentTesla, communicates using Telegram for C2. YARA rule and IOC provided. https://isc.sans.edu/diary/rss/30848

Check Point Research (CPR) was able to track down cybercrime actors conducting AgentTesla campaigns against Australian and American organizations in November 2023. This was used to predict and prevent occurring and future campaigns from these actors. CPR describes the campaigns, their identification of the actors, and also provides IOC. https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/

Here's some data analysis on the victims of the popular infostealer #AgentTesla aka #OriginLogger https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims

2023-01-02 (Monday): from info I posted at https://twitter.com/malware_traffic/status/1609964048824647681

This is the first malware sample I've looked into for 2023!

#SnakeTracker sample at https://bazaar.abuse.ch/sample/c0e8dcf4096de51fec0709a1e6778923be7f5320389e38cf6b93965ef4daa904

Interesting (to me) data exfiltration over SMTP, similar to what I've seen before with #AgentTesla, but this looks specific to the #SnakeTracker family.

Malware Bazaar tagged this as #SnakeKeyLogger, but I didn't let this run long enough to get any actual keylogging. Based on what I'm seeing, it calls itself "Snake Tracker" instead of Snake Key Logger.

#AgentTesla uses sysinternals vulnerable driver (procexp)

9d0cd2b1f470af7bba55345850c4f2b24ba96b9c4c361e4ff75c14a72bb3e7de

driver hash 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c