{
"name": "Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla",
"slug": "analyzing-a-malicious-compiled-html-help-file-delivering-agent-tesla",
"description": "This analysis examines an attack chain utilizing malicious compiled HTML help (.chm) files for initial payload delivery. The attack begins with a 7zip compressed file containing a weaponized CHM file that displays a decoy window while executing obfuscated JavaScript code. This JavaScript launches PowerShell commands that verify internet connectivity by pinging Google, then downloads additional PowerShell code disguised as a JPEG file. The second stage decompresses and loads multiple byte arrays in memory, including a loader DLL and compressed Agent Tesla payload. The final Agent Tesla sample executes through process injection into RegAsm.exe and uses FTP protocol to exfiltrate stolen data including keystrokes, screenshots, and camera recordings to attacker-controlled infrastructure at ftp.videoalliance[.]ru.",
"published": "2026-04-23T01:27:34+00:00",
"created_at": "2026-04-23T01:27:34+00:00",
"modified_at": "2026-04-27T12:32:34+00:00",
"created_at_opencti": "2026-04-23T01:27:34+00:00",
"author": "",
"confidence": null,
"report_types": [],
"labels": [],
"tags": [
"2026-04-23",
"agent-tesla",
"anti-analysis techniques",
"chm files",
"compiled html help",
"ftp exfiltration",
"information stealer",
"javascript obfuscation",
"powershell"
],
"related_entities": {
"observables": [
{
"id": "",
"name": "http://pk-consult.hr/N2.jpg"
},
{
"id": "",
"name": "c684f1a6ec49214eba61175303bcaacb91dc0eba75abd0bd0e2407f3e65bce2a"
},
{
"id": "",
"name": "9ba024231d4aed094757324d8c65c35d605a51cdc1e18ae570f1b059085c2454"
},
{
"id": "",
"name": "3446ec621506d87d372c596e1d384d9fd2c1637b3655d7ccadf5d9f64678681e"
},
{
"id": "",
"name": "0fd2e47d373e07488748ac63d9229fdef4fd83d51cf6da79a10628765956de7a"
},
{
"id": "",
"name": "081fd54d8d4731bbea9a2588ca53672feef0b835dc9fa9855b020a352819feaa"
}
],
"malware": [
{
"id": "legacy:malware:c2eee7e0af79651d",
"name": "Agent Tesla - S0331",
"slug": "agent-tesla-s0331"
}
],
"attack_patterns": [
{
"id": "da9c28df-e5f4-4cb3-92c1-06f15d8bab39",
"name": "T1071.002"
},
{
"id": "32817170-4c07-427e-b8a5-80a733ae2550",
"name": "T1497"
},
{
"id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
"name": "T1055"
},
{
"id": "667462db-9031-48eb-893a-05d35f9330a7",
"name": "T1056.001"
},
{
"id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
"name": "T1555"
},
{
"id": "32b33067-6566-4b8d-be80-e96f765d84de",
"name": "T1059.001"
},
{
"id": "269fca28-cdea-40b4-ae42-8246ad31a84a",
"name": "T1125"
},
{
"id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
"name": "T1204.002"
},
{
"id": "dc410646-9cdd-427b-92e7-179a54f78f90",
"name": "T1566.001"
},
{
"id": "29a20d73-65dc-4dc0-b5de-d943bc32d282",
"name": "T1218.001"
},
{
"id": "60972cf6-e90b-4600-af3c-13c468391d9c",
"name": "T1106"
},
{
"id": "0c836307-129e-4ff7-a532-180c633cacba",
"name": "T1027"
},
{
"id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
"name": "T1105"
},
{
"id": "0156fcda-e385-4662-b388-086c3e16feec",
"name": "T1140"
},
{
"id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
"name": "T1113"
},
{
"id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
"name": "T1041"
}
],
"vulnerabilities": [
{
"id": "",
"name": "CVE-2022-1388"
},
{
"id": "",
"name": "CVE-2025-55182"
}
],
"others": [
{
"id": "",
"name": "pk-consult.hr"
},
{
"id": "",
"name": "ftp.videoalliance.ru"
}
]
},
"external_refs": [
"https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/?pdf=download&lg=en&_wpnonce=aa318d37cb",
"https://otx.alienvault.com/pulse/69e991a65ee2b4802a077236"
]
}