{
  "name": "Unmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign",
  "slug": "unmasking-agent-tesla-a-deep-dive-into-a-multi-stage-campaign",
  "description": "This analysis examines a sophisticated multi-stage infection chain utilizing Agent Tesla malware. The attack begins with a phishing email containing a RAR file, which includes an obfuscated JSE file. This initial stage triggers a series of script-based evasions, leading to the download and decryption of a PowerShell script. The malware then employs process hollowing to inject its payload into a legitimate Windows process, evading detection. Before exfiltrating data, the malware performs anti-analysis checks to avoid security software and virtual environments. Finally, Agent Tesla harvests sensitive information, including browser cookies and contacts, exfiltrating the data via SMTP to a command-and-control server.",
  "published": "2026-02-25T19:01:58+00:00",
  "created_at": "2026-02-25T19:01:58+00:00",
  "modified_at": "2026-02-25T19:56:01+00:00",
  "created_at_opencti": "2026-02-25T19:01:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-25",
    "agent-tesla",
    "anti-analysis",
    "credential harvesting",
    "data exfiltration",
    "in-memory execution",
    "multi-stage attack",
    "phishing",
    "process-hollowing",
    "smtp"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "b133d75de5010c3a5005606a8e682a08c413364a3921dfbdfbfdde811a866e88"
      },
      {
        "id": "",
        "name": "30713c4bfc813848b3ec28eb227d2e439be0e07c77237498553fd5dfa745f278"
      },
      {
        "id": "",
        "name": "83f9c6a3978d926f2c0155e22008c1bce6510b321031598509a2937add2d5a54"
      },
      {
        "id": "",
        "name": "cc2b26bbcbaa2d0593e15a45734fe3fd940451fc7290d49bc841c496b906a9c1"
      }
    ],
    "intrusion_sets": [
      {
        "id": "e642b076-afb7-4202-bf7b-ace6b5a3c23a",
        "name": "Agent Tesla",
        "slug": "agent-tesla"
      }
    ],
    "attack_patterns": [
      {
        "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270",
        "name": "T1055.012"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "2d8a4c76-3094-4914-b163-55b3dee82191",
        "name": "T1048.003"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "mail.taikei-rmc-co.biz"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/699f5536e9f0860107bbaba7",
    "https://www.fortinet.com/blog/threat-research/unmasking-agent-tesla-deep-dive-into-multi-stage-campaign"
  ]
}