Researchers detailed a phishing-led Agent Tesla infection chain that starts with a payment-receipt-themed email attachment and escalates through multiple scripted stages to full compromise. The campaign avoids older Office exploit techniques such as CVE-2017-11882, CVE-2017-0199, and CVE-2018-0802, instead relying on heavily obfuscated Batch and PowerShell loaders to launch payloads in memory, execute hidden scripts, and establish persistence while reducing visibility to traditional defenses.
The final VB.NET payload uses anti-debugging, anti-sandbox, and anti-VM checks before performing process hollowing into legitimate Windows binaries such as charmap.exe. Once active, Agent Tesla steals browser credentials, cookies, autofill data, keystrokes, and screenshots, then exfiltrates the data over channels including SMTP, FTP, and Telegram bots, highlighting the threat posed by fileless execution and in-memory process injection in commodity malware campaigns.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Point Wild published analysis of a recently observed Agent Tesla phishing campaign that used a payment-receipt-themed lure, obfuscated Batch and PowerShell loaders, in-memory execution, persistence, and process hollowing into a legitimate process. The report also described anti-debugging and anti-VM checks and theft of credentials, cookies, keystrokes, screenshots, and other data for exfiltration.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.