Date: 02/26/2026
Severity: Medium
Summary
Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign examines how Agent Tesla continues to pose a significant threat by enabling even low-skilled actors to steal sensitive information through a refined and layered infection process. The analyzed campaign leverages phishing emails, heavily obfuscated and encrypted scripts, and advanced in-memory execution techniques designed to evade detection, highlighting the malware’s persistence and evolving delivery sophistication.
Indicators of Compromise (IOC) List
URLs/Domain | https://files.catbox.moe/2x0j75.ps1 mail.taikei-rmc-co.biz |
Hash | Cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1
83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54
30713C4BFC813848B3EC28EB227D2E439BE0E07C77237498553FD5DFA745F278
B133D75DE5010C3A5005606A8E682A08C413364A3921DFBDFBFDDE811A866E88
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "mail.taikei-rmc-co.biz" or siteurl like "mail.taikei-rmc-co.biz" or url like "mail.taikei-rmc-co.biz" or domainname like "https://files.catbox.moe/2x0j75.ps1" or siteurl like "https://files.catbox.moe/2x0j75.ps1" or url like "https://files.catbox.moe/2x0j75.ps1" |
Detection Query 2 : | sha256hash IN ("B133D75DE5010C3A5005606A8E682A08C413364A3921DFBDFBFDDE811A866E88","Cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1","83F9C6A3978D926F2C0155E22008C1BCE6510B321031598509A2937ADD2D5A54","30713C4BFC813848B3EC28EB227D2E439BE0E07C77237498553FD5DFA745F278")
|
Reference:
https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign