Agent Tesla

The Italian campaigns analyzed by the TG Soft C.R.A.M. were grouped according to macro categories, obtained from the subject of the email message used for malware distribution (malspam).

24/11/2025 AgentTesla - spread through a campaign themed "Payments". 25/11/2025 AgentTesla - spread through a campaign themed "Orders". 27/11/2025 Downloader - spread through a campaign themed "Orders". 28/11/2025 PhantomStealer - spread through a campaign themed "Payments".

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

This URI leads to an HTA file, used to download and start a Windows executable (dferfgwergca.exe), using the class System.Net.WebClient and the powershell cmdlet Start-Process.

This document exploits the CVE-2017-0199... An OLE object is used to retrieve a RTF document (u2qe.doc) from an external source.

The samples that ranked first this week are Script files with 38.23%. In second place are MSIL executable files with 23.53%. In third place are Office documents (Word, Excel, PowerPoint) with 17.65%.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Agent Tesla can inject into known, vulnerable binaries on targeted hosts.

Examples include 'adds Registry Run keys to establish persistence', 'creates a shortcut in the Startup folder', and 'RunOnce Registry key to run itself on safe mode.'

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'

This .NET executable has been obfuscated by a tool which implements several obfuscation tricks such as symbol renaming, control flow flattening and usage of .NET reflection.

Agent Tesla can inject into known, vulnerable binaries on targeted hosts.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

Agent Tesla has created hidden folders.

This dropper uses injection type 'Reflection' (6), rather injection type 'Browser' (5)...

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Key-logger mechanism may also be embedded, in order to grab additional credentials...

Agent Tesla has the ability to extract credentials from the Registry.

They are often designed to extract saved password stored within browsers, instant messaging applications, FTP clients and many more.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

Agent Tesla can collect names and passwords of all Wi-Fi networks to which a device has previously connected.

Agent Tesla can collect the username from the victim’s machine.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

Key-logger mechanism may also be embedded, in order to grab additional credentials...

In their article, they described the overall behavior of the final stage, including: The key-logger and screenshot mechanism

Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.

In this sample, a dedicated function is used to encrypt the keys/values parameter string, using 3-DES in CBC mode... Although all the code related to HTTP C&C communication is embedded within the sample, it isn't used.

In this sample, SMTP is indeed used rather than HTTP... to send e-mail containing data gathered from infected computers.

This URI leads to an HTA file, used to download and start a Windows executable (dferfgwergca.exe)...

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.