Agent Tesla: Microsoft’s Ever-Evolving RAT Problem

23 April 2021

Among the many malware families wreaking havoc for Windows users is Agent Tesla, a keylogger, information stealer and spyware that was first discovered in 2014. According to MITRE ATT&CK, Agent Tesla has employed various techniques ranging from collecting account information from a victim’s machine to using HTTP and SMTP for C2 communications.  It can steal credentials, download additional files, extract data using form-grabbing, and even capture screenshots of victim’s desktops. 

The malware developed over time and in 2018 security researchers discovered that it was being used in conjunction with the Loki information stealer. Because the malware had been modified, it was able to evade detection, which was problematic given that, “If undetected, Agent Tesla has the ability to steal user’s login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.

Agent Tesla was trending through that fall, and in October 2018 Krebs on Security did a deep dive into the man behind the malware (which the proprietors claimed was not a malware at all). Krebs reported, The earliest versions of Agent Tesla were made available for free via a Turkish-language WordPress site that oddly enough remains online (agenttesla.wordpress-dot-com), although its home page now instructs users to visit the current AgentTesla-dot-com domain.” Then there was another hiatus, at least from the headlines.

But by early 2020, Agent Tesla was back. ThreatPost reported that the malware’s use in attacks had trumped both Emotet and Trickbot during the first six months of 2020. Malwarebytes wrote, “During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.”

A new version of the remote access Trojan (RAT) is once again targeting Windows machines and evading detection. “Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry,” according to news from Dark Reading

In these more recent campaigns, attackers are reportedly using the RAT to target the oil and gas industries. Prevailion’s threat intelligence team has captured a total of 220,997,442 beacons for Agent Tesla. The image below shows a snapshot of this activity across major industries during the last six months.

Agent Tesla activity across top industries over the last 180 days. Total beacon count is higher, at roughly 221 million. (Source: APEX)


As Agent Tesla continues to evolve and become more applicable because of its ability to evade detection, this RAT will become a more prolific problem. Organizations need cyber adversary intelligence in order to identify these intrusions faster in order to more quickly respond and remediate.

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2022 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.