Agent Tesla: Microsoft’s Ever-Evolving RAT Problem

23 April 2021

Among the many malware families wreaking havoc for Windows users is Agent Tesla, a keylogger, information stealer and spyware that was first discovered in 2014. According to MITRE ATT&CK, Agent Tesla has employed various techniques ranging from collecting account information from a victim’s machine to using HTTP and SMTP for C2 communications.  It can steal credentials, download additional files, extract data using form-grabbing, and even capture screenshots of victim’s desktops. 

The malware developed over time and in 2018 security researchers discovered that it was being used in conjunction with the Loki information stealer. Because the malware had been modified, it was able to evade detection, which was problematic given that, “If undetected, Agent Tesla has the ability to steal user’s login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.

Agent Tesla was trending through that fall, and in October 2018 Krebs on Security did a deep dive into the man behind the malware (which the proprietors claimed was not a malware at all). Krebs reported, The earliest versions of Agent Tesla were made available for free via a Turkish-language WordPress site that oddly enough remains online (agenttesla.wordpress-dot-com), although its home page now instructs users to visit the current AgentTesla-dot-com domain.” Then there was another hiatus, at least from the headlines.

But by early 2020, Agent Tesla was back. ThreatPost reported that the malware’s use in attacks had trumped both Emotet and Trickbot during the first six months of 2020. Malwarebytes wrote, “During the months of March and April 2020, it was actively distributed through spam campaigns in different formats, such as ZIP, CAB, MSI, IMG files, and Office documents.”

A new version of the remote access Trojan (RAT) is once again targeting Windows machines and evading detection. “Recent months have seen Agent Tesla continue to evolve and spread, and Sophos researchers have spotted new variants in a growing number of attacks over the past 10 months. As of December 2020, Agent Tesla made up 20% of malware email attachments in its customer telemetry,” according to news from Dark Reading

In these more recent campaigns, attackers are reportedly using the RAT to target the oil and gas industries. Prevailion’s threat intelligence team has captured a total of 220,997,442 beacons for Agent Tesla. The image below shows a snapshot of this activity across major industries during the last six months.

Agent Tesla activity across top industries over the last 180 days. Total beacon count is higher, at roughly 221 million. (Source: APEX)


As Agent Tesla continues to evolve and become more applicable because of its ability to evade detection, this RAT will become a more prolific problem. Organizations need cyber adversary intelligence in order to identify these intrusions faster in order to more quickly respond and remediate.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.